I have a multi Tomcat setup on my (client's) machine. It is a Spring Hibernate setup. It was handed over to my client by some other vendor who was managing it till date.
There is some setting within the server (that I am missing) that is causing the files under WEB-INF to be openly accessible. Whether it is context-datasource.xml, dispatcher-servlet.xml or even the web.xml, all files are getting easily accessed from the browser.
To tackle the issue, we gave a code snippet that will put a blanket restriction for any kind of user to access directly access any resource under the folder hierarchy of "WEB-INF". The code is as follows:
<SecurityConstraint>
<web-resource-collection>
<web-resource-name>Restrict WEB-INF resources</web-resource-name>
<url-pattern>/WEB-INF/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</SecurityConstraint>
We placed this setting in Tomcat's conf/context.xml, conf/web.xml, and /web.xml
Didn't work.
Unfortunately, after I perused through the documentation which was shared by the client after much persuasion, I learnt that the setup was as follows:
This setup and detail were not available to us before when we were diagnosing the issue.
The folder was getting accessed from the Apache Httpd. We had to put the rules in .htaccess file to restrict the browser access.
I hope this helps someone who is looking at a similar setup and facing a similar issue.