How do I prevent users from viewing the contents of my WEB-INF directory?
Created May 7, 2012
If this problem happens with a specific version of a standalone Resin, you should consider to try the latest version (I'm running 1.2.5) and, eventually, send a bug to Caucho.
Consider that this issue should happen when using the container in standalone mode. When the container (Resin, Tomcat or abother one) is used just for serving servlet & jsp behind a more reliable and complete web server, like Apache, the problem is on Apache, that is serving everything else. When you ask for WEB-INF, in fact, Apache doesn't even connect to Tomcat, there is no reason.
So, if this is your scenario, you should add lines like these:
<Directory /WEB-INF>
AllowOverride None
Deny From All
</Directory>
Inside the virtual host or whatever you think is appropriate and, obviously, changing "/WEB-INF" with the appropriate context.