How can I prevent a user from accessing some directories inside a webapp? I have some configuration XML items and these can be viewed by the browser if the full path is known. Is there a setting which I can add in web.xml for my webapp, which can display some sort of (404) error with a mapping to the directory?
If you put your configuration items under the WEB-INF directory, Tomcat will not serve them. Thats the whole idea behind WEB-INF - concealed from browsers but available to applications. If you do this right your file locations will not be dependent on absolute file locations. See the methods in javax.servlet.ServletContext such as getRealPath()