Directory displays are handled by the DefaultServlet as configured in the default web.xml file. There are a number of configuration parameters, including "listings" - set that to false and Tomcat will not do any directory listings. You could then handle security and file serving in a custom servlet for that application.
You can also create a modified version of DefaultServlet or use XSLT to customize the display generated by DefaultServlet.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com
subject: restricted files access using apache/jakarta tomcat