Security configuration needs to be changed to keep the flexibility added by the navigation controller. In particular, the authentication does not depend anymore on path specified in web.xml but relies on the security mandated by the underlying resource instead. Here are the noticeable changes for security:
Authentication is now triggered on the "/login" URL when it does not have a username or a password specified. Therefore, the URL /login?initialURI=/classic/home is (more or less) equivalent to /private/classic/home.
When a resource cannot be viewed due to security constraint.
If the user is not logged, the authentication will be triggered.
Otherwise, a special page (the usual one) will be displayed.