When using "Enable Security" and Mercurial, the notifyCommit method fails even when anonymous has build permissions. The difference appears to be in the cookies.

Failed case:
GET /mercurial/notifyCommit?url=ssh://<redacted>/sandbox HTTP/1.1
User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: <redacted>:8080
Accept: /

HTTP/1.1 200 OK
Server: Winstone Servlet Engine v0.9.10
Content-Type: text/plain;charset=ISO-8859-1
Connection: Close
Date: Fri, 27 Apr 2012 17:37:29 GMT
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
Set-Cookie: JSESSIONID.79b17db3=3480193c16b0d5371437749c981fa1be; Path=/; HttpOnly

No mercurial jobs found

SUCCESS:
GET /mercurial/notifyCommit?url=ssh://<redacted>/sandbox HTTP/1.1
Host: <redacted>:8080
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.7,ja;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: __utma=142065709.672751542.1326231118.1326319384.1331761724.3; __utmz=142065709.1331761724.3.2.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/M7DYDoPx; _mkto_trk=id:364-BLA-665&token:_mch-<redacted>-1326231118044-34632; iconSize=16x16; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=cnN0YW50b246MTMzNjQzMTg4NTIyOTpjN2U0ZTI4MGNiMGNkNTk2YTk0MmEwNjlkMDZkNDI5ZQ==; JSESSIONID.52356e8f=637ee763053a1b7d5ff29fd9a54088df; screenResolution=1920x1080
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: Winstone Servlet Engine v0.9.10
Content-Type: text/plain;charset=ISO-8859-1
Triggered: http://<redacted>/job/testjob/
Connection: Close
Date: Fri, 27 Apr 2012 17:36:04 GMT
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
Set-Cookie: JSESSIONID.79b17db3=68d15f2b379727128525f7f3933eae27; Path=/; HttpOnly