Workaround until the next point release: use the 'filterChainDefinitionMap' property instead - it does retain correct path matching order.
The problem: the current 'setFilterChainDefinitions' implementation uses a java.util.Properties object to load the text block into key/value pairs. Unlike a LinkedHashMap, Properties do not retain definition order. For example, the following chain definitions would fail:
/ = anon
/UIDL/ = anon
In a simple test, the pattern matcher first evaluated a /UIDL/ request against /, which didn't match. It then tried to match the request against /** which did match. However, this is incorrect behavior, because there is a /UIDL/ chain defined which was never matched, resulting in a denied request, even though there is a validly defined (and ordered) pattern for it.