It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.
Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()