Hi Jason,
This looks like a problem in the Glassfish runtime. The runtime enforces security constraints on the url resulting from any welcome file mapping, but (it looks like) the runtime determines isMandatory on the received uri (i.e., without applying any welcome file mapping). As such there is a mismatch.
I believe that the permitAll method of WebSecurityManager must be changed to call CreateWebResourePermission instead of " new WebResourcePermission".
can you please file an issue.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=290737