Marc, in the message title you say you want to suppress directory listings, but in the content, you speak about preventing access to some directories. These are two completely different things.
Almost all responses you are receiving are directed to the first issue, that is, preventing Tomcat from presenting its own directory page when you use a URLs like http://server/dir/. I can only add that the $CATALINA_HOME/conf/web.xml is just a web.xml template. You can override most configurations in that file, by copying the part you are interested in into your local web.xml, and making any modification there. Particularly, you can redefine the default servlet, and configure it as you want. So you don't need access to the global web.xml file :-) If we pass to the second issue, I see 3 options: 1. If you want to allow access to some directories only to certain logged in users, you can setup security constraints in your web.xml, as Craigh pointed before. 2. If you use those directories only for internal use of your servlets/jsps, you could move them inside the WEB-INF directory. This way nobody will have access to them from the web. 3. If you don't want to change directory locations (because there's too much code to change, for example), you could use security constraints, and allow access only to an inexistent role. You said that you cannot change conf/web.xml. I suppose you plan to deploy your webapp into a tomcat from a third person (client, ISP, or something). If this is the case, be sure you have some control or knowledge about the realm used by your webapp. If you cannot control the roles in the realm, the third option can be insecure, as you will not control if a specified role exists or will exist in the future. Hope it helps! -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>