Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
J2EE Misconfiguration: Duplicate Security Role
Abstract
Multiple security roles with the same name exist. Duplicate security roles often indicate left over debug code or a typographical error.
Explanation
Duplicate security roles serve no purpose since only the last definition of a given security role will be applied.
Example 1: The entry from a
Example 1: The entry from a
web.xml file defines two admin roles.
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPage</web-resource-name>
<description>Admin only pages</description>
<url-pattern>/auth/noaccess/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Administrators only</description>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
...
<security-role>
<description>Administrator</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Non-Administrator</description>
<role-name>admin</role-name>
</security-role>
References
[1] Sun Microsystems, Inc. Java Servlet Specification 2.4
[2] Standards Mapping - Common Weakness Enumeration CWE ID 284
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.j2ee_misconfiguration_duplicate_security_role