I know that NO <auth-constraint> means everyone has access.
I also know that an empty <auth-constraint/> means nobody has access.
But what happens when two different <security-constraint> sections have the same <url-pattern> and one has no <auth-constraint> and the other has an empty <auth-constraint/>? See the code sample below for an example of what I mean...
In my tests I expected it to deny access, thinking that the "deny all" behaviour of the empty <auth-constraint/> should override the section with the "allow-all" missing <auth-constraint>.
However, to my surprise, I am able to access the specified <url-pattern>.
Is this the correct behaviour? Have I missed something?
Yes, I am using Tomcat 5.something. Thanks for that info.
So, in spite of my real-world experience, if by some eery coincidence I get this as a question on the test, I should assume that an empty auth-constraint beats everything and denies access to all, right?