confusion in <auth-constrain>

I have doubt in :

Q.30 from HFSJ final mock test

Ques is:

Your web application has a valid deployment descriptor in which student and sensei are the only security roles that have been defined.
The deployment descriptor contains two security constrains that declare the same resource to be constrained . These constrains are :

<auth-constrain> <role-name>student</role-name> </auth-constrain> <auth-constrain/>

which are true ?

A. As the D.D. stands now, the constrained resource can be accessed by both the roles.
B.As the D.D. stands now, the constrained resource can be accessed by only sensei users.
c.As the D.D. stands now, the constrained resource can be accessed by only student users.
D. If the second <auth-constrain> tag is removed , the constrained resource can be accessed by both roles.
E.If the second <auth-constrain> tag is removed , the constrained resource can be accessed only by sensei users.
F.If the second <auth-constrain> tag is removed , the constrained resource can be accessed only by student users.

The answer given is : D

but i think F.

am I correct ? please make me correct if I am wrong.

Hi Ana,

I think you are correct, that must be a mistake in the mock-exam. The second <auth-constraint> disallows everybody, so when it is removed the other constraint applies and this will allow students. (note: it is constraint i.s.o constrain)

Regards,
Frits

ana,

This is indeed a mistake, as stated in the Errata. The correct answer is F.

thanks guys.

Hi

Lack of <auth-constraint> means unauthenticated access.

So both roles will be allowed to access the resources.

The errata mentioned above is wrong! Though the errata got approved by authors but it is wrong.

See this post