Spring Security's authorization rules can be misconfigured when using multiple servlets