Tomcat is vulnerable to directory information disclosure. When accessing a directory protected by a security constraint with a URL that did not need in a slash, Tomcat would redirect to the URL with the trailing slash, confirming the presence of the file, even if no access is permitted.
access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html
access.redhat.com/security/updates/classification/#moderate
issues.jboss.org/browse/JWS-271
issues.jboss.org/browse/JWS-272
issues.jboss.org/browse/JWS-276
issues.jboss.org/browse/JWS-277
issues.jboss.org/browse/JWS-303
issues.jboss.org/browse/JWS-304
issues.jboss.org/browse/JWS-310
issues.jboss.org/browse/JWS-349
issues.jboss.org/browse/JWS-350
rhn.redhat.com/errata/RHSA-2016-1088.html