What do most people use to restrict PUT and DELETE http methods? 1. Using a security-constraint with no roles specified in a auth-constraint, with a url-pattern of /* (or appropriate URI) and list the http methods to restrict
OR 2. Set the attribute "readonly" to true in the default servlet in web.xml Leo
