Major Description
Scenario: WebApplication.getHomePage() returns a page that is also mounted to a non-empty path by WebApplication.mountBookmarkablePage(). Besides, we have getSecuritySettings().setEnforceMounts(true). Upon a request for the servlet's root URL (i.e., with requestParameters.getPath()==""), the method
WebRequestCycleProcessor.resolve will throw a AbortWithWebErrorCodeException(403) with error message "Direct access not allowed for mounted targets".
This is because WebRequestCycleProcessor.resolveHomePageTarget correctly returns a non-null target, so that the else-branch starting in line 190 of file WebRequestCycleProcessor.java is reached.
The comment says "a target was found, but not by looking up a mount", which is misleading, because the szenario should desirably work even though property enforceMounts has been set to true.
The only (terrible) workaound I have found is to override WebRequestCycleProcessor.resolveHomePageTarget() to return null and establish a home-page-like thing by overriding WebRequestCodingStrategy.urlCodingStrategyForPath() for the empty path.