Hi Devs,

what's the reason that we check security after VirtualURIFilter? this could lead to many security holes, first and obvious would be if you are
forwarding request within VirtualURI it will simply ignore security.
Virtual URI's should also be protected, I know we are missing this part in GUI where you can define ACL for the URI but it will come in future.

I would propose to change this order in filter definition, if anyone of you has any concerns please let me know.