Head First 1st Edition:
p. 634:
If there are no NO <http-method> elements it means that NO HTTP Methods are allowed by
ANYONE in ANY role p. 660
There's an example where no <http-method> is specified. There's a commentary: We left off <http-method> so that NO HTTP Methods are accessible by
ANYONE except Admin (there's a <auth-constraint> with this role coming after <web-resource-collection>
So, does that mean that:
1) if I specify
<http-method/> than no methods are allowed to anyone by any role,
including the one that i specify in the
<auth-constraint> 2) id I
don't specify <http-method> at all than no methods are allowed to anyone
except roles, specified in the
<auth-constraint>