How to avoid directory listing in JBoss?
You can disable this through the web.xml file present in %JBOSS_HOME%/server/default/deploy/jbossweb-tomcatXX.sar/conf folder. By default, the value for the 'listings' init-param is true. You will have to change it to false as follows:
How should I give forbidden message when user tries to access unrelated files?
What does an unrelated file mean?