Tomcat: Disabling Directory Listings

This is the second in a series of posts detailing my efforts to stand up a Tomcat/ACF10 development environment next to my existing Apache/JRun/ACF9 stack. For background, see the first post in the series.

I will focus my initial configuration efforts on some basics for securing the Tomcat/ACF10 stack, addressing things I know the security scanning services on our network look specifically for. I will start with disabling directory listings provided by default when a browser requests a URL for a directory without a default document. In this post (and all future posts in the series, unless I specifically indicate otherwise), I will use paths based upon my installation of ACF10 in the default location on Mac OS X systems. By default ACF10 is installed in /Applications/ColdFusion10; you can translate as needed for your installation.

To disable directory listings, find the <servlet> element within file ./cfusion/runtime/conf/web.xml. Within that element, find (or insert) an <init-param> element with a child <param-name> element with a value of listings. Set the <param-value> element to false.


Restart the server, and we can check this one off our list.