I am confused about something on p. 660 of the Head First book.
Here is the security constraint they are working with:
<web-app...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Stuff</web-resource-name>
<url-pattern>/foo/bar/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
At the bottom right of the page it says "We left off <http-method> so that NO HTTP Methods are accessible to anyone except Admins."
But if you look back on p. 634, it says on the comment at bottom right:
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
I may be missing something here, but I thought that leaving them out would mean NO methods allowed for anyone.
(I checked in the errata and didn't see anything on this.)
Thoughts anyone???
TJ