But, since the WEB-INF directory may be used internally, it is actually a
nice place to stick some 'hidden' files.
Isn't there any way to distinguish internal requests from direct client
requests? If not, the WEB-INF directory should be filtered at a lower level
before the request is send to the CM.
> Read the specification, section 9.4:
>
> A special directory exists within the application hierarchy named
"WEB-INF".
> This directory
> contains all things related to the application that aren't in the document
> root of the application. It is
> important to note that the WEB-INF node is not part of the public document
> tree of the application.
> No file contained in the WEB-INF directory may be served directly to a
> client.
