== Why is this an issue?

Websphere, Tomcat, and JBoss web servers allow the definition of role-based access to servlets. It may not be granular enough for your purposes, but it's a start, and should be used at least as a base.


This rule raises an issue when a _web.xml_ file has no ``++<security-constraint>++`` elements.


== Resources

* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Add "security-constraint" elements to this descriptor.


=== Highlighting

top-level element


'''
== Comments And Links
(visible only on this page)

=== on 19 Mar 2018, 11:01:13 Sébastien GIORIA - AppSecFR wrote:
Could tagged A6:2017 too. This is a configuration element

endif::env-github,rspecator-view[]