From: "David Smith" <[EMAIL PROTECTED]>
The servlet spec (and tomcat is spec compliant) forbids the client direct access to anything in WEB-INF. I can think of two possibilities for what you are seeing: 1) You have Apache or IIS in front of this serving out static content. In that case, do what others have suggested and configure Apache or IIS to block access to files in WEB-INF. 2) You have a servlet offering up material from your webapp and it's erroneously serving up material in WEB-INF as well. This wouldn't be anything provided by tomcat -- it would be one of your servlets if it exists.
SRV9.5 (Servlet 2.4) says "No file contained in the WEB-INF directory may be served directly to a client by the container." I am not the OP, but I have a similar situation. I dropped an old (Servlet 2.3) .war file into a fresh Tomcat 5.5 install, and started seeing directory listings of contents under WEB-INF. It seems to be coming from the Struts Tiles tags, (which would fit into your #2 possibility,) though I haven't had time to investigate. Specifically, I think a <tiles:insert attribute="xxx" /> tag will do it when 'xxx' is empty. I'll go see if any of the Tiles experts can confirm. Does listing the contents of a directory == serving a file directly to a client? I don't think so... though I was *very* surprised to see the directory listings. I saved a screen shot just so I could prove it was really happening. :) Clicking on any of the links in the list gives the usual '404', and turning off listings as advised by an earlier post in this thread fixed the problem. -- Wendy Smoak --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
