Yep, tat's wat my query was. If you mix the errata and page 636, we end up all confused. Here's the errata
{634} hand written comment at the bottom;
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
should be:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed."
and here's teh link for quick ref.
http://www.oreilly.com/catalog/headservletsjsp/errata/headservletsjsp.confirmed I think:
if NO http-method specified -> ALL ALLOWED. If we think, this makes sense. The security-constraint element mentions the http-methods to be "constrained". Also, if you mention only GET in http-method, its constrained, but others, POST, PUT... are allowed. Goin by the same logic, NO http-method would mean, ALLOW ALL methods.
I think i'll try and let you guys know.