Websphere, Tomcat, and JBoss web servers allow the definition of role-based access to servlets. It may not be granular enough for your purposes, but it's a start, and should be used at least as a base.

This rule raises an issue when a web.xml file has no <security-constraint> elements.

See

Deprecated

This rule is deprecated, and will eventually be removed.