diff --git a/core/src/main/java/jenkins/security/ClassFilterImpl.java b/core/src/main/java/jenkins/security/ClassFilterImpl.java
index 22e4645557abeecf8fecd1b95a6da119e92c8fd4..bbc085b44286fea8a17e9c458c8730f3e607d233 100644
--- a/core/src/main/java/jenkins/security/ClassFilterImpl.java
+++ b/core/src/main/java/jenkins/security/ClassFilterImpl.java
@@ -273,6 +273,10 @@ public class ClassFilterImpl extends ClassFilter {
                 r = r.substring(0, r.length() - suffix.length());
             }
         }
+        if (r.startsWith("jar:file:/") && r.endsWith(".jar!/")) {
+            // JENKINS-49543: also an old behavior of Tomcat. Legal enough, but unexpected by isLocationWhitelisted.
+            r = r.substring(4, r.length() - 2);
+        }
         return r;
     }