My reading says that if <login-config> element is present in the DD
then a user must be authenticated before accessing <security-constraint> elements.
What happens if you have constrained resources via the <secuirity-constraint> but no <login-config> element is present in the DD?
Is there a default login-config OR since no authentication method is given, nobody can access the constrained resouces?