Multiple security roles with the same name exist. Duplicate security roles often indicate left over debug code or a typographical error.
Duplicate security roles serve no purpose since only the last definition of a given security role will be applied.
Example 1: The entry from a web.xml
file defines two admin
roles.
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPage</web-resource-name>
<description>Admin only pages</description>
<url-pattern>/auth/noaccess/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Administrators only</description>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
...
<security-role>
<description>Administrator</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Non-Administrator</description>
<role-name>admin</role-name>
</security-role>
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 398
[2] Sun Microsystems, Inc. Java Servlet Specification 2.4