Hi Kanishka,
In the current scenario, any requests (be it from any role/user) to "/index.jsp" will be authenticated because "/index.jsp" is a constrained resource. Have I got it right?
Almost correct, but not exactly: only the requests that are using a POST.
If there is request accessing
/index.jsp via a GET the user firing it won't be asked for authentication...
Regards,
Frits