Security constraint in web.xml not getting applied to URL patterns having file extension

One of your other URL patterns matches more than this url-pattern - *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml, then this will be treated as a web resource collection in Super user Area and thus SUPER_USER can only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks