The servlet spec (and tomcat is spec compliant) forbids the client direct access to anything in WEB-INF. I can think of two possibilities for what you are seeing:
1) You have Apache or IIS in front of this serving out static content. In that case, do what others have suggested and configure Apache or IIS to block access to files in WEB-INF. 2) You have a servlet offering up material from your webapp and it's erroneously serving up material in WEB-INF as well. This wouldn't be anything provided by tomcat -- it would be one of your servlets if it exists. --David Scott Purcell wrote: >Hello, > >I was showing someone my website the other day, and when they started playing >with the URL, they could see the jsp files, html files, and files under the >WEB-INF directory. > >Is created a <welcome-file-list> in the web.xml, but I guess if someone plays >with the url and tries to get a look at the files that does not help. > >How does one shut down all access to anything from a url > >Thanks >Scott > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > -- ======================================= David Smith Network Operations Supervisor Department of Entomology College of Agriculture & Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]