a recent security audit of an application based on jboss that I am developing revealed that we can access the web.xml of the http-invoker.sar through a URL from the web.
the URL is: http://localhost:8083/WEB-INF./web.xml
jboss version is 4.0.2
how can i change this? is this a known issue in 4.0.2?
thanks in advance.