diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java
index 21438c508e..fe961f2c03 100644
--- a/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java
+++ b/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java
@@ -190,15 +190,16 @@ private void handleMatch(final String method, final PathSecurityInformation exac
                 transport(currentMatch, role.transportGuaranteeType);
                 currentMatch.constraints.add(new SingleConstraintMatch(role.emptyRoleSemantic, role.roles));
             }
-        } else if (denyUncoveredHttpMethods) {
-            if (exact.perMethodRequiredRoles.size() == 0) {
+        } else if(denyUncoveredHttpMethods) {
+            if(exact.perMethodRequiredRoles.size() == 0) {
                 // 13.8.4. When HTTP methods are not enumerated within a security-constraint, the protections defined by the
                 // constraint apply to the complete set of HTTP (extension) methods.
                 currentMatch.uncovered = false;
                 currentMatch.constraints.add(new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.PERMIT, new HashSet<>()));
-            } else {
-                //at this point method info is null, but there is match, above if will be triggered for default path, we need to flip it?
-                // keep currentMatch.uncovered value as true (this is the value that is initially set)
+            } else if(exact.perMethodRequiredRoles.size() > 0) {
+                //at this point method is null, but there is match, above if will be triggered for default path, we need to flip it?
+                currentMatch.uncovered = true;
+                //NOTE: ?
                 currentMatch.constraints.clear();
                 currentMatch.constraints.add(new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.DENY, new HashSet<>()));
             }