This rule flags auth-constraint, role-name elements found in the WEB-INF/web.xml file that are missing the corresponding security-role element. Apache Tomcat server does not require that the security-role element be defined, but the Java EE specification indicates that it must be defined.
This is an example of auth-constraint, role-name elements that would be flagged:|
<web-app> ... <security-constraint> <display-name>ThisConstraint</display-name> <web-resource-collection> <web-resource-name>adminResources</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description>The admins</description> <role-name>admin</role-name> <role-name>superuser</role-name> </auth-constraint> </security-constraint> </web-app> |
Both the <role-name>admin</role-name> and the <role-name>superuser</role-name> lines would be flagged.
The source scanner contains a quick fix that adds any missing security-role elements.
In this example, the quick fix would add the following elements to the web.xml file:|
<security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>superuser</role-name> </security-role> |