Basic Auth in Glassfish 7 vs Payara 5

[kbachl]

Hi,

I upgraded an app to deploy on Glassfish 7.0.25 (coming from payara 5); The following snippet in web.xml leads to an basic auth requirement even on the root path of the app:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>OData access Path</web-resource-name>
            <url-pattern>/odata/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Users</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>file</realm-name>
    </login-config>

    <security-role>
        <role-name>Users</role-name>
    </security-role>

I expected only path
https://10.0.0.30:8443/appName/odata
and e.g.
https://10.0.0.30:8443/appName/odata/..

to trigger it, but it also triggers on
https://10.0.0.30:8443/appName/
?

Has there anything changed in that config part?
Exact same works on payara 5 as expected, if I disable the part of

 <web-resource-collection>
            <web-resource-name>OData access Path</web-resource-name>
            <url-pattern>/odata/*</url-pattern>
        </web-resource-collection>

i can access my app under the
https://10.0.0.30:8443/appName/
as expected. Of course no basic auth on the required path then. Anything I miss here?