Simon Brooke wrote:
The servlet container intentionally will not
serve anything within the WEB-INF directory - obviously, because if a
hacker could get hold of, e.g., your web.xml it would be very easy to
compromise your site.
It will not *directly* serve the contents of the WEB-INF/ directory
tree, that is, it will not respond to a client-side request for
resources so protected. The container will deliver content from the
WEB-INF/ tree if the server-side artifacts include it, e.g., through a
<jsp:include> action.
It is standard to put JSP fragments (.jspf files), images and other
resources, configuration files and such under the WEB-INF/ hierarchy.
Content which you wish to serve cannot and must not be stored in WEB-INF.
That is, unless you plan to incorporate it through server-side
actions, in which case it's a best practice to store things in the WEB-
INF/ tree that you don't want accessed directly from the client, but
do want to serve indirectly.