Security 4.0 challenge for unauthenticated test expecting a valid response from the server

[jhanders34]

Challenged tests
ee.jakarta.tck.security.test.AppMemPolicyIT#testNotAuthenticatedSpecial

TCK Version
Jakarta Security 4.0

Description
The tests invoke a Servlet that has role security constraints defined on it and the servlet specification states that a 401 must be returned in that case. The test is expecting that the servlet should be serviced and data returned from the servlet for the test to process.

Additional context
Servlet 6.1 13.8.3 section states.

If access is restricted to permitted roles and the request has not been authenticated, the
request shall be rejected as unauthorized and a 401 (SC_UNAUTHORIZED) status code 
shall be returned to cause authentication.

Since the only way I can see to make this test work is adding a second servlet that doesn't have role constraints defined on it, I believe these tests will need to be excluded for this challenge and an update cannot be made to the test in a way that doesn't add to the requirements of the test, but I could be wrong.

This challenge is akin to jakartaee/authorization#173 which has the same type of test and criteria for a challenge.

[jhanders34]

PR #363 was opened to be the possible PR if this challenge is accepted.

[Emily-Jiang]

@arjantijms please take a look at this. It is overdue.

[darranl]

I have also commented on jakartaee/authorization#173 IMO the test here is building on the test being correct for Jakarta Authorization so adding a +1 to consider this challenge is the Jakarta Authorization equivalent is accepted.

[arjantijms]

This is the same issue as jakartaee/authorization#173 indeed. So the reply there.