security-constraint url-pattern *.* does not work

My security-constraint url-pattern uses *.*

/myfolder/*.*

The above is intended to protected all files with extensions in the /
myfolder, but not its subfolders. Tomcat claims the syntax is an
error.

/myfolder/*

The above is accepted, but it protects files in myfolder/ as well as
its subfolders.

A strange design I suppose. But the reason I ask is that I want to
apply a filter only to files that are not protected.

Thanks.