Access to files from /bonita webapp container is too liberal. You can get files like web.xml with HTTP request with simple path traversal. Files from WEB-INF and META-INF should not be accessible.
Tomcat and Wildfly bundles
curl http://localhost:8080/bonita/apps/webapp-name/API/living/../../WEB-INF/web.xml --path-as-is