Code in WebAppParser.java is wrong with web.xml snippets like this:
A WebAppSecurityConstraint is first created, then the /SomeUrl/* is parsed and the WebAppSecurityConstraint url is set. Then /AnotherUrl/* is parsed and the same WebAppSecurityConstraint url is set again. Therefore some constraints are dropped.
The same applies for http-method.
The fix is here: