let me guess yout true question (since the text you type would usually noit fit into the Tomcat forum): How to protect directories from beeing exposed to the requesting http client (a.k.a. Browser).
For Tomcat it's a matter of dicipline: Generally you can see only the stuff in the webapps and it's subdirectory. So this is where your stuff goes to be visible. A special role
Bartender shoot me if I tell rubbish
has the WEB-INF directory. Is is always protected from being served back to the client. Content there needs to be picked up be the server (means: your Java code) and delivered to the client.
Besides that Tomcat (and/or Apache HTTP) comes with file protection. Check the docu. BTW: Your question title "autentification" is wrong (and I don't mean the typo). Authentication only establishs WHO you are (by file, by LDAP, by DB). After that you have Authorithation, that can tell WHAT you can do. By default there is no authentication active, so you are known as "Anonymous" (I REALLY hope there is not a poor fellow on this planet named Paul Anonymous!). So all access to resources is handled by the access profile (= the check-list of permissions) of anonymous. Hth! ;-) stw [ June 15, 2004: Message edited by: Stephan Wissel ]