Improve documentation of SecurityContext.hasAccessToWebResource() without specifying the HTTP method

[OndroMih]

Presently, the test is https://github.com/jakartaee/security/blob/a87eca4492dfc8dd1558f7ce9644a9121e72b384/tck/app-securitycontext/src/main/java/ee/jakarta/tck/security/test/Servlet.java#L85 is making a call to SecurityContext.hasAccessToWebResource() without specifying the HTTP method to test.

In the javadoc, this parameter is described as taking "one or more methods to check", from the specification itself there is also no mention of calling without specifying the HTTP method and the documented example does specify a method: https://github.com/jakartaee/security/blob/a87eca4492dfc8dd1558f7ce9644a9121e72b384/spec/src/main/asciidoc/securityContext.adoc

This feels like something which could be clarified in a later release.

[OndroMih]

For now, I think what best documents it is the TCK test and some hints in the Javadoc:

• The Javadoc for SecurityContext.hasAccessToWebResource() contains the following in the documentation of the resource argument: "For a full specification of this pattern see WebResourcePermission(String, String)". I know this isn't in the docs for the methods argument, but WebResourcePermission includes not only resource pattern but also actions (http methods). So I'd assume that the documentation of WebResourcePermission is relevant also for the methods argument
• The Javadoc for WebResourcePermission claims that "A null or empty string HTTPMethodSpec indicates that the permission applies to all HTTP methods at the resources identified by the URL pattern." Which means that the list of actions can be null or empty string. And that in that case the permission applies to all HTTP methods. That is a hint that when the methods argument to SecurityContext.hasAccessToWebResource() is empty, it should return true if the user has permission to all HTTP methods for a given resource.

I believe that this is also in line with what the TCK test expects.