diff --git a/test/src/test/java/jenkins/security/ResourceDomainTest.java b/test/src/test/java/jenkins/security/ResourceDomainTest.java
index b8f2d551b094..a2eb9de0b89a 100644
--- a/test/src/test/java/jenkins/security/ResourceDomainTest.java
+++ b/test/src/test/java/jenkins/security/ResourceDomainTest.java
@@ -55,6 +55,34 @@ public void prepare() throws Exception {
         configuration.setUrl(resourceRoot);
     }
 
+    @Test
+    public void groupPermissionsWork() throws Exception {
+        final JenkinsRule.DummySecurityRealm securityRealm = j.createDummySecurityRealm();
+        securityRealm.addGroups("alice", "admins");
+        j.jenkins.setSecurityRealm(securityRealm);
+        MockAuthorizationStrategy a = new MockAuthorizationStrategy().grant(Jenkins.READ).everywhere().to("admins");
+        j.jenkins.setAuthorizationStrategy(a);
+
+        JenkinsRule.WebClient webClient = j.createWebClient().login("alice");
+
+        { // DBS directory listing is shown as always
+            Page page = webClient.goTo("userContent");
+            Assert.assertEquals("successful request", 200, page.getWebResponse().getStatusCode());
+            Assert.assertTrue("still on the original URL", page.getUrl().toString().contains("/userContent"));
+            Assert.assertTrue("web page", page.isHtmlPage());
+            Assert.assertTrue("complex web page", page.getWebResponse().getContentAsString().contains("javascript"));
+        }
+        { // DBS on primary domain forwards to second domain when trying to access a file URL
+            webClient.setRedirectEnabled(true);
+            Page page = webClient.goTo("userContent/readme.txt", "text/plain");
+            final String resourceResponseUrl = page.getUrl().toString();
+            Assert.assertEquals("resource response success", 200, page.getWebResponse().getStatusCode());
+            Assert.assertNull("no CSP headers", page.getWebResponse().getResponseHeaderValue("Content-Security-Policy"));
+            Assert.assertTrue("Served from resource domain", resourceResponseUrl.contains(RESOURCE_DOMAIN));
+            Assert.assertTrue("Served from resource action", resourceResponseUrl.contains("static-files"));
+        }
+    }
+
     @Test
     public void secondDomainBasics() throws Exception {
         JenkinsRule.WebClient webClient = j.createWebClient();