How to set restrictions on the retreival of files from some directories

[Alla Winter]

BY default it is possible to retrieve files located under the 'WEB-INF'
directory. For example: www.someserver.com/WEB-INF./web.xml or
www.someserver.com/WEB-INF./classes/MySer
<http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class>  vlet.class

What needs to be done to prevent it ?   Why such restrictions are not set by
default?  This vulnerability prevents us to pass the security certification
test