--- RealmBase.java.orig	2005-04-02 19:35:25.489726400 +0200
+++ RealmBase.java.orig	2005-05-08 20:20:23.544958400 +0200
@@ -32,6 +32,7 @@ 
 import javax.management.MBeanRegistration;
 import javax.management.MBeanServer;
 import javax.management.ObjectName;
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.Container;
@@ -431,7 +432,8 @@ 
      * @param context Context the Request is mapped to
      */
     public SecurityConstraint [] findSecurityConstraints(Request request,
-                                                         Context context) {
+                                                         Context context) 
+    throws  ServletException{
 
         ArrayList results = null;
         // Are there any defined security constraints?
@@ -645,6 +647,16 @@ 
                     if(pattern.equals("/")){
                         matched = true;
                     }
+                    if(pattern.endsWith("*")){
+                        if (pattern.charAt(pattern.length()-1) != '/') {
+                            //as per http://issues.apache.org/bugzilla/show_bug.cgi?id=34805
+                            if (log.isDebugEnabled()) {
+                                log.debug("  invalid url pattern: \"" + pattern + "\"" +
+                                		" - see http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf" +
+                                		"  section 11.2" );}
+                            throw new ServletException("  invalid url pattern: \"" + pattern + "\"");
+                        }
+                    }
                 }
                 if(matched) {
                     if(results == null) {
@@ -654,7 +666,7 @@ 
                 }
             }
         }
-
+        
         if(results == null) {
             // No applicable security constraint was found
             if (log.isDebugEnabled())