Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently. Fix 1 of 2 for CVE-2018-1305