Use Java EE deployment descriptors to define missing security roles

This rule flags auth-constraint , role-name elements found in the WEB-INF/web.xml file that are missing the corresponding security-role element. Apache Tomcat server does not require that the security-role element be defined, but the Java EE specification indicates that it must be defined.

This is an example of auth-constraint , role-name elements that would be flagged:

<web-app>
...
<security-constraint>
<display-name>ThisConstraint</display-name>
<web-resource-collection>
<web-resource-name>adminResources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>The admins</description>
<role-name>admin</role-name>
<role-name>superuser</role-name>
</auth-constraint>
</security-constraint>
</web-app>

Both the <role-name>admin</role-name> and the <role-name>superuser</role-name> lines would be flagged.

The source scanner contains a quick fix that adds any missing security-role elements.

In this example, the quick fix would add the following elements to the web.xml file:

<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>superuser</role-name>
</security-role>