Ilya,
The differences you are seeing with the handling of a security constraint for the url-pattern "/index.jsp" is most probably due to the different way Glassfish/Tomcat handles welcome files as compared to Jetty. When Jetty receives a request for "/context-root/" and we look to see if there is a security constraint that exactly matches as per the specification Section 13.8.3 (using the algorithm specified in 12.1). Because your constraint is /index.jsp, this does not match. Jetty then dispatches the request to the welcome file mechanism via a forward - as this is a dispatch, the security constraints cannot be re-evaluated. Most probably Glassfish/Tomcat are using a redirect instead of a forward, which will cause a 2nd request that will be evaluated against the security constraints. If you wish, you can configure Jetty to do this too: set the init-param "redirectWelcome" to "true" for the DefaultServlet.
As for the empty string, this is mandated by the Servlet Specification section 12.2:
"The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port/<context-root>/.
In this case the path info is ’ / ’ and the servlet path and context path is empty string (““)."
regards,