Which two statements are true about the security-related tags in a valid Java EE deployment descriptor? (Choose two)
A.
Every <security-constraint> tag must have at least one <http-method> tag.
B.
A <security-constraint> tag can have many <web-resource-collection> tags.
C.
A given <auth-constraint> tag can apply to only one <web-resource-collection> tag.
D.
A given <web-resource-collection> tag can contain from zero to many <url-pattern> tags.
E.
It is possible to construct a valid <security-constraint> tag such that, for a given resource user roles can access that resource.
The Correct answer is : D
B and E
D cannot be correct, tag must be from 1 to many as it is mandatory, the correct answer is B and E