I think it would be a good idea to grab a copy of the
J2EE specification document from oracle.com and read up on the rules for security constraints. The spec should indicate precisely how URL
patterns that are more generic than similar patterns are considered and what happens if a URL matches more that one pattern (or the pattern occurs twice).
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.