If you want to extend these exclusions to the unconstrained parts of your application, also include the URL pattern / (forward slash):
<display-name>Deny all HTTP methods except GET and POST</display-name>
What does the <url-pattern>/</url-pattern> mean ? Some article says if nothing (url-pattern) else is a match, then consider the security-constraint with <url-pattern>/</url-pattern>.
But I am not sure if that is true or not.
"/" is the root of the web application. That is. it's the resource referenced in something like http://www.coderanch.com/forums/ if "/forums" is the URL context for the (hypothetical) "forums" webapp.
In J(2)EE, the root is resolved by looking at web.xml for the <welcome-page> element. If one is found, then that resource (for example, "/index.jsp") is returned.
That points out a very important distinction. J2EE container security does not protect resources, it protects URLs. If more than one URL pattern can return the same webapp resource and one is secured and one is not, you can obtain the "secured" resource by using the insecure URL.
That's the case in JavaServer Faces, where the URL lags behind the resource, since the URL is more like a session handle than a true resource locator in JSF. The JSF "redirect" feature eliminates that lag so that secured resources can stay secured.
An IDE is no substitute for an Intelligent Developer.