The implementation of the URL validator is really odd because it basically relies on the constructor of java.net.URL. This has been discussed here before (HV-406, HV-513) and I understand and accept there's no perfect solution.
However, I'd expect that this be clearly stated in the Javadoc of the @URL constraint. IMO despite this is still not the case. I see 2 obvious issues:
Type Javadoc claims that "Per default the constraint verifies that the annotated value conforms to RFC2396". Doesn't prove that statement wrong? If RFC2396 were really supported wouldn't the validator have to accept URLs such as ldap://... or sip://...?
The annotation attribute Javadoc contradicts the type Javadoc. Because of 1. a statement like "Per default any protocol is allowed" (port attribute) is not correct.