diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
index 91d66baa23a..2836eac071b 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
@@ -1169,16 +1169,30 @@ public class ContextHandler extends ScopedHandler implements Attributes, Gracefu
         while (target.startsWith("//"))
             target=URIUtil.compactPath(target);
 
-        boolean isProtected = false;
-        int i=0;
-        while (!isProtected && i<_protectedTargets.length)
+        for (int i=0; i<_protectedTargets.length; i++)
         {
-            isProtected = StringUtil.startsWithIgnoreCase(target, _protectedTargets[i++]);
+            String t=_protectedTargets[i];
+            if (StringUtil.startsWithIgnoreCase(target,t))
+            {
+                if (target.length()==t.length())
+                    return true;
+                
+                // Check that the target prefix really is a path segment, thus
+                // it can end with /, a query, a target or a parameter
+                char c=target.charAt(t.length());
+                if (c=='/'||c=='?'||c=='#'||c==';')
+                    return true;
+            }
         }
-        return isProtected;
+        return false;
     }
 
 
+    /* ------------------------------------------------------------ */
+    /**
+     * @param targets Array of URL prefix. Each prefix is in the form /path and will match
+     * either /path exactly or /path/anything
+     */
     public void setProtectedTargets (String[] targets)
     {
         if (targets == null)
@@ -1191,6 +1205,7 @@ public class ContextHandler extends ScopedHandler implements Attributes, Gracefu
         System.arraycopy(targets, 0, _protectedTargets, 0, targets.length);
     }
 
+    /* ------------------------------------------------------------ */
     public String[] getProtectedTargets ()
     {
         if (_protectedTargets == null)
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerTest.java
index f9d07f47b83..9cced27457e 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerTest.java
@@ -437,6 +437,7 @@ public class ContextHandlerTest
         assertTrue(handler.isProtectedTarget("/foo-inf/x/y/z"));
         assertFalse(handler.isProtectedTarget("/foo/x/y/z"));
         assertTrue(handler.isProtectedTarget("/foo-inf?x=y&z=1"));
+        assertFalse(handler.isProtectedTarget("/foo-inf-bar"));
 
         protectedTargets = new String[4];
         System.arraycopy(handler.getProtectedTargets(), 0, protectedTargets, 0, 2);