Thank you very much Krzysiek* for your explanations.
For the question 9 p 563, the HFS page that you mentioned is p. 533.
So the same authors that you hail should have to fix it.
For all the other book errata there is the http://www.oreilly.com/catalog/headservletsjsp/errata/
So glance at it before publishing your discoveries.
However while reading this o'reilly errata page, some ambiguities stay.
Here is an example that I am just studying p 634 about <security-constraint> rules:
Hand written - if there were NO <http-method> elements, in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role.
Key-point - if no HTTP Methods are specified then ALL Methods will be constrained.
Hand written - if there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed, by ANYONE in any role.
Key-point - if no HTTP Methods are specified then ALL Methods are allowed.
Pretty different isn't it!
But NO new erratum has be written p 635 1 st paragraph for:
A resource is always constrained on an HTTP method by HTTP basis, although you CAN configure the <web-resource-collection> in such a way that ALL Methods are constrained, simply by not putting in ANY <http-method> elements.
So what is true!
Indeed is there a difference between
nothing and <http-method></http-method> (<http-method> does not seem to be a mandatory element),
as there is one between
nothing (all users are allowed)and <auth-constraint></auth-constraint> (no user is allowed)?
* Why Chris instead of Krzysiek or Krzys?