Unfortunately this is not a bug, but a flaw with the servlet spec and with tomcat.
The servlet spec says that welcome files can be implemented with redirect, Dispatcher.forward or
with "a mechanism indistinguishable to a direct request'. Jetty offers the first two options for which
security are well defined (applies to redirection, does not apply to forwards).
The indistinguishable option is used by tomcat and is poorly defined as to what that means
with regards to security. For the 2.5 specification there was a discussion within the expert
group about this, which concluded that the constraints should be applied before
welcome file mapping. The glassfish fork of tomcat has been updated to represent this, but
I am not sure if tomcat has yet been corrected.