The only way to allow all users (even unauthenticated users) through is to not declare any elements; declaring a <role-name>*</role-name> is equivalent to allowing any authenticated user to access the resource.
Marcos R Oliveira wrote:In Head First, the two configurations have the same effect but the user must always be authenticated because the <security-constraint> is never removed.
It is a bit more subtle: having an <auth-constraint> requires the container to authenticate the user. After authentication the user is allowed to access the secured resource no matter what role he has. If there is no <auth-constraint> declared in a <security-constraint> then the container must accept the request without requiring the user to be authenticated.
The effect of the two configurations is almost the same however unauthenticated users are only allowed in the latter.
New rule: no elephants at the chess tournament. Tiny ads are still okay.
Devious Experiments for a Truly Passive Greenhouse!