Access to files from /bonita webapp container is too liberal. You can get files like web.xml with HTTP request with simple path traversal. Files from WEB-INF and META-INF should not be accessible.
Tomcat and Wildfly bundles