Websphere, Tomcat, and JBoss web servers allow the definition of role-based access to servlets. It may not be granular enough for your purposes, but it's a start, and should be used at least as a base.
This rule raises an issue when a web.xml file has no <security-contraint>
elements.