The best way (AFAIK) to handle this situation is to put all the jsp's you want security contraints on in a subdirectory of root. For example you can use 'secured'. Then leave any pages that do not have constraints in root. Your web.xml will then look like this...
... <security-constraint> <web-resource-collection> <web-resource-name>Volga</web-resource-name> <url-pattern>/secured/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <security-constraint> ...