diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/pathmap/PathMappings.java b/jetty-http/src/main/java/org/eclipse/jetty/http/pathmap/PathMappings.java
index 1f1b3ecd8674..159d9cc1a530 100644
--- a/jetty-http/src/main/java/org/eclipse/jetty/http/pathmap/PathMappings.java
+++ b/jetty-http/src/main/java/org/eclipse/jetty/http/pathmap/PathMappings.java
@@ -201,6 +201,8 @@ public static PathSpec asPathSpec(String pathSpecString)
     {
         if ((pathSpecString == null) || (pathSpecString.length() < 1))
         {
+            if (pathSpecString != null)
+                return new ServletPathSpec("");
             throw new RuntimeException("Path Spec String must start with '^', '/', or '*.': got [" + pathSpecString + "]");
         }
         return pathSpecString.charAt(0) == '^' ? new RegexPathSpec(pathSpecString) : new ServletPathSpec(pathSpecString);
diff --git a/jetty-http/src/test/java/org/eclipse/jetty/http/pathmap/PathMappingsTest.java b/jetty-http/src/test/java/org/eclipse/jetty/http/pathmap/PathMappingsTest.java
index 11d0568572cb..00b5da8e920b 100644
--- a/jetty-http/src/test/java/org/eclipse/jetty/http/pathmap/PathMappingsTest.java
+++ b/jetty-http/src/test/java/org/eclipse/jetty/http/pathmap/PathMappingsTest.java
@@ -20,6 +20,7 @@
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -456,4 +457,18 @@ public void testRemoveServletPathSpec()
         assertThat(p.remove(new ServletPathSpec("/a/b/c")), is(true));
         assertThat(p.remove(new ServletPathSpec("/a/b/c")), is(false));
     }
+
+    @Test
+    public void testAsPathSpec()
+    {
+        assertThat(PathMappings.asPathSpec(""), instanceOf(ServletPathSpec.class));
+        assertThat(PathMappings.asPathSpec("/"), instanceOf(ServletPathSpec.class));
+        assertThat(PathMappings.asPathSpec("/*"), instanceOf(ServletPathSpec.class));
+        assertThat(PathMappings.asPathSpec("/foo/*"), instanceOf(ServletPathSpec.class));
+        assertThat(PathMappings.asPathSpec("*.jsp"), instanceOf(ServletPathSpec.class));
+
+        assertThat(PathMappings.asPathSpec("^$"), instanceOf(RegexPathSpec.class));
+        assertThat(PathMappings.asPathSpec("^.*"), instanceOf(RegexPathSpec.class));
+        assertThat(PathMappings.asPathSpec("^/"), instanceOf(RegexPathSpec.class));
+    }
 }
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
index 72b5404fe4eb..3d802d77a1d0 100644
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
@@ -1869,6 +1869,44 @@ public void testForbidTraceAndOptions() throws Exception
         assertThat(response, startsWith("HTTP/1.1 403 "));
     }
 
+    @Test
+    public void testDefaultConstraint() throws Exception
+    {
+        _security.setAuthenticator(new BasicAuthenticator());
+
+        ConstraintMapping forbidDefault = new ConstraintMapping();
+        forbidDefault.setPathSpec("/");
+        forbidDefault.setConstraint(_forbidConstraint);
+        _security.addConstraintMapping(forbidDefault);
+
+        ConstraintMapping allowRoot = new ConstraintMapping();
+        allowRoot.setPathSpec("");
+        allowRoot.setConstraint(_relaxConstraint);
+        _security.addConstraintMapping(allowRoot);
+
+        _server.start();
+        String response;
+
+        response = _connector.getResponse("GET /ctx/ HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 200 OK"));
+
+        response = _connector.getResponse("GET /ctx/anything HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));
+
+        response = _connector.getResponse("GET /ctx/noauth/info HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));
+
+        response = _connector.getResponse("GET /ctx/forbid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));
+
+        response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 401 Unauthorized"));
+        assertThat(response, containsString("WWW-Authenticate: basic realm=\"TestRealm\""));
+
+        response = _connector.getResponse("GET /ctx/admin/relax/info HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 200 OK"));
+    }
+
     private static String authBase64(String authorization)
     {
         byte[] raw = authorization.getBytes(ISO_8859_1);