For: <url-pattern>*login</url-pattern> Really shouldn't match any thing other than "http://localhost/application/*login" and I didn't check if '*' is allowed in a URL so even that may not work (and it's not exactly good practice if it does). Again according to the spec, the only valid mapping that starts with the asterisk is an extension mapping (i.e. *.jsp). Given that mapping, if "http://localhost/application/secure/login" is accepted and calls the filter then yes, IMHO and FWIW, that is a mistake. I'd guess that internally the code is checking just that the pattern begins with "*" and treating it as a wildcard.
>>The following also never calls the filter: "/secure/*login". It shouldn't, that is not a valid wildcard mapping (which can only end with the asterisk, the embedded asterisk doesn't mean anything).