Why you should care

Every Servlet or JSP exposed to the Internet represents another attack surface and potential failure point. The best solution is to expose only what’s necessary under the most restrictive conditions that make sense.

It is common to think that internal web applications are deployed where they can only be accessed from trusted users. But in reality you can often find situations where the security policy needs to change, for example the ports or the source address to access to the web server might change or the mix of security policy and Network Address Translation policy open an unwanted address, port

A JSP application is not secured if the web.xml that doesn’t match the following conditions:
* Existence of node: security-constraint/web-resource-collection/url-pattern
* Existence of node: security-constraint/auth-constraint in the same node than the previous security-constraint node
* the url-pattern defined in security-constraint/web-resource-collection/url-pattern match at least one JSP page or a Servlet

CAST Recommendations

References

https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html

How we detect

This code insight counts one occurrence if the web.xml file does not contain a <security-constraint> OR if this tag does not contain both following items :

a <web-resource-collection><url-pattern> node .
an <auth-constraint> node.

Note : the web.xml file can contain several <security-constraint> tags. There is no violation for the rule if at least one of them is compliant with the above.