Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53801

      Overlapping URL patterns were sometimes merged incorrectly in security constraints leading to incorrect 401 responses. Note: it was possible for access to be denied when it should have been granted but it was not possible for access to be granted when it should have been denied.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1379206 13f79535-47bb-0310-9956-ffa450edef68