Point 2 in Section SRV 12.8.3 in servlet spec states the container shall reject a request (403) if access to such resource has been precluded by an empty auth- constraint element. However, Tomcat up to 5.5.14 returns 401 in the test. How to reproduce: - Deploy attached file - Visit http://localhost:8080/httpmethod/HTTPMethod/POST This should not ask for any credential at all.
Created attachment 17230 [details] the test web archive
This is fixed now in SVN trunk, and will appear in 5.5.15. Thanks for the report!