The syntax and semantics of org.springframework.security.web.util.AntPathRequestMatcher (AntUrlPathMatcher in 3.0) are undocumented. The reference manual loosely refers to "Ant style" and states about the request-matcher attribute in the <http> section:
"See the Javadoc for these classes for more details on exactly how the matching is preformed." (quote includes typo) However, the Javadoc says nothing about it.
The RequestMatcher syntax and semantics is an important contract between a user and Spring Security. Any misunderstanding from the user's side likely results in vulnerabilities.