As Undertow processes a deployment to convert the security constraints to a JACC Policy using JACC Permissions there is a step which adds unchecked permissions based on the HTTP methods seen so far: -

            if(jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
                if (seenMethods.size() != NUMBER_OF_HTTP_METHODS) {
                    WebResourcePermission wrpUnchecked = new WebResourcePermission(qurl, "!"
                            + getCommaSeparatedString(seenMethods.toArray(new String[seenMethods.size()])));
                    pc.addToUncheckedPolicy(wrpUnchecked);
                }
            }

If no methods have been seen so far this can lead to an action of "!".

Where an action is null or empty String the meaning is "all methods".
Where a list of methods of prefixed with "!" the meaning is "all methods except those listed".

Where we use "Unable to render embedded object: File (" we mean all methods as we have not already encountered any, however the API does specify the syntax and a single ") not found." without any actions is invalid so for that scenario we should use null or empty String.