Maybe this is a known bug, but I couldn't find any references to it.
A security consultant hired to find holes in our environment informed us that it was possible to download the webapp jar files from the WEB-INF dir when adding a "." to the WEB-INF in the URL. I tried it, and it works! Actually it works for any file under WEB-INF... Even if the directory browsing is disabled.
As proof, using a default glassfish V1 install, you can download stuff from the admin application WEB-INF directory
http://localhost:4848/asadmin/WEB-INF./lib/admin.jar
Although this seems to have been fixed in Glassfish V2, is there a way to block this in V1 without upgrading? We would happily upgrade to V2 but we need to run it in a 64 bit Windows JVM.
[Message sent by forum member 'fraxion' (fraxion)]
http://forums.java.net/jive/thread.jspa?messageID=232046