By default the directory listing is turned on on GlassFish application server. This is great while developing as one can see list of files and folders in one’s web application.
However, on a live web application, the need for greater security necessitates that directory listing is turned off so that users are prevented from browsing files and folders in one’s webroot.
To turn off directory listing is a two-step process. First, set the “listing” node to “false” in config/default-web.xml file. And second, redeploy the web application in question. Just changing the default-web.xml won’t suffice. Once the web application is redeployed, the directory listing is turned off.