should I be able to browse to /WEB-INF/whatever?

All the documentation I can find says that files and folders underneath the /WEB-INF directory should, by default, be inaccesible to someone browsing my site. Any attempts to access these files or folders should return a "404 - File Not Found".

However, when I try to browse to, say, /WEB-INF/classes/someresourcebundle.properties my browser happily loads it. The same with /WEB-INF/struts-config.xml, or any other file under this directory.

It is my understanding the servlet specification states that any attempts to access the /WEB-INF hierarchy should be met with a "404 - File Not Found". I can restrict access to WEB-INF by adding some lines to my httpd.conf, like so:

<Location"/WEB-INF/*">

AllowOverride None

deny from all

</Location>

<Directory"C:/siteroot/WEB-INF/">

AllowOverride None

deny from all

</Directory>

...but this returns a "403 - Forbidden" rather than a 404.

Am I supposed to explicitly map WEB-INF to be served by Tomcat? If so, how do I do this? If not, what's going on here? What do I need to do to make this behave as it's supposed to?

Thanks,

millz

[1245 byte] By [dmillza] at [2007-11-27 8:00:38]