I think that no user is allowed to access, since the spec says: "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
so when there is condition like nobody and everybody-->nobody........
means that NO USER is allowed access to the resouce outlined in the <web-resource-collection> element;
however, it does not restrict other resources within the same application from accessing the resource.
Please also note: The "*" will allow access to all role names defined in the deployment descriptor
Also, some folks have been asking for sources so this is direct from SUN:
An authorization constraint establishes a requirement for authentication and names the roles authorized to access the URL patterns and HTTP methods declared by this security constraint. If there is no authorization constraint, the container must accept the request without requiring user authentication. If there is an authorization constraint, but no roles are specified within it, the container will not allow access to constrained requests under any circumstances. The wildcard character * can be used to specify all role names defined in the deployment descriptor. Security roles are discussed in Working with Security Roles.