I would try the following:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
The first security-constraint
does not have any auth-constraint
, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven’t tried it.)