How do I prevent users from viewing the contents of my WEB-INF directory?

Alessandro A. Garbagnati

Servlet Engines (e.g. Resin or Tomcat) should not allow directory browsing of WEB-INF. Tomcat 3.2, for example, had that same issue and they have fixed it in Tomcat 3.2.1. This was happening when Tomcat was used standalone (not just as a container, but even as a web server).

If this problem happens with a specific version of a standalone Resin, you should consider to try the latest version (I'm running 1.2.5) and, eventually, send a bug to Caucho.

Consider that this issue should happen when using the container in standalone mode. When the container (Resin, Tomcat or abother one) is used just for serving servlet & jsp behind a more reliable and complete web server, like Apache, the problem is on Apache, that is serving everything else. When you ask for WEB-INF, in fact, Apache doesn't even connect to Tomcat, there is no reason.

So, if this is your scenario, you should add lines like these:

<Directory /WEB-INF>
AllowOverride None
Deny From All

Inside the virtual host or whatever you think is appropriate and, obviously, changing "/WEB-INF" with the appropriate context.