On SJSAS 8.2 we just discovered a vulnerability in that WEB-INF directories can be listed when browsing directly to the folder structure of our application.
Is there any sort of robots.txt or htaccess file that is editable on the application server to restrict this?
[Message sent by forum member 'jvermast']
http://forums.java.net/jive/thread.jspa?messageID=481182