Default Servlet Reference

Table of Contents

What is the DefaultServlet

The default servlet is the servlet which serves static resources as well as serves the directory listings (if directory listings are enabled).

Where is it declared?

It is declared globally in $CATALINA_BASE/conf/web.xml. By default here is it's declaration:




So by default, the default servlet is loaded at webapp startup and directory listings are disabled and debugging is turned off.

If you need to change the DefaultServlet settings for an application you can override the default configuration by re-defining the DefaultServlet in /WEB-INF/web.xml. However, this will cause problems if you attempt to deploy the application on another container as the DefaultServlet class will not be recognised. You can work-around this problem by using the Tomcat specific /WEB-INF/tomcat-web.xml deployment descriptor. The format is identical to /WEB-INF/web.xml. It will override any default settings but not those in /WEB-INF/web.xml. Since it is Tomcat specific, it will only be processed when the application is deployed on Tomcat.

What can I change?

The DefaultServlet allows the following initParameters:

Property Description
debug Debugging level. It is not very useful unless you are a tomcat developer. As of this writing, useful values are 0, 1, 11. [0]
listings If no welcome file is present, can a directory listing be shown? value may be true or false [false]
Welcome files are part of the servlet api.
WARNING: Listings of directories containing many entries are expensive. Multiple requests for large directory listings can consume significant proportions of server resources.
precompressed If a precompressed version of a file exists (a file with .br or .gz appended to the file name located alongside the original file), Tomcat will serve the precompressed file if the user agent supports the matching content encoding (br or gzip) and this option is enabled. [false]
The precompressed file with the with .br or .gz extension will be accessible if requested directly so if the original resource is protected with a security constraint, the precompressed versions must be similarly protected.
It is also possible to configure the list of precompressed formats. The syntax is comma separated list of [content-encoding]=[file-extension] pairs. For example:,gzip=.gz,bzip2=.bz2. If multiple formats are specified, the client supports more than one and the client does not express a preference, the order of the list of formats will be treated as the server preference order and used to select the format returned.
readmeFile If a directory listing is presented, a readme file may also be presented with the listing. This file is inserted as is so it may contain HTML.
globalXsltFile If you wish to customize your directory listing, you can use an XSL transformation. This value is a relative file name (to either $CATALINA_BASE/conf/ or $CATALINA_HOME/conf/) which will be used for all directory listings. This can be overridden per context and/or per directory. See contextXsltFile and localXsltFile below. The format of the xml is shown below.
contextXsltFile You may also customize your directory listing by context by configuring contextXsltFile. This must be a context relative path (e.g.: /path/to/context.xslt) to a file with a .xsl or .xslt extension. This overrides globalXsltFile. If this value is present but a file does not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default directory listing will be shown.
localXsltFile You may also customize your directory listing by directory by configuring localXsltFile. This must be a file in the directory where the listing will take place to with a .xsl or .xslt extension. This overrides globalXsltFile and contextXsltFile. If this value is present but a file does not exist, then contextXsltFile will be used. If contextXsltFile does not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default directory listing will be shown.
input Input buffer size (in bytes) when reading resources to be served. [2048]
output Output buffer size (in bytes) when writing resources to be served. [2048]
readonly Is this context "read only", so HTTP commands like PUT and DELETE are rejected? [true]
fileEncoding File encoding to be used when reading static resources. [platform default]
useBomIfPresent If a static file contains a byte order mark (BOM), should this be used to determine the file encoding in preference to fileEncoding. This setting must be one of true (remove the BOM and use it in preference to fileEncoding), false (remove the BOM but do not use it) or pass-through (do not use the BOM and do not remove it). [true]
sendfileSize If the connector used supports sendfile, this represents the minimal file size in KiB for which sendfile will be used. Use a negative value to always disable sendfile. [48]
useAcceptRanges If true, the Accept-Ranges header will be set when appropriate for the response. [true]
showServerInfo Should server information be presented in the response sent to clients when directory listing is enabled. [true]
sortListings Should the server sort the listings in a directory. [false]
sortDirectoriesFirst Should the server list all directories before all files. [false]
allowPartialPut Should the server treat an HTTP PUT request with a Range header as a partial PUT? Note that while RFC 7233 clarified that Range headers only valid for GET requests, RFC 9110 (which obsoletes RFC 7233) now allows partial puts. [true]

How do I customize directory listings?

You can override DefaultServlet with you own implementation and use that in your web.xml declaration. If you can understand what was just said, we will assume you can read the code to DefaultServlet servlet and make the appropriate adjustments. (If not, then that method isn't for you)

You can use either localXsltFile, contextXsltFile or globalXsltFile and DefaultServlet will create an xml document and run it through an xsl transformation based on the values provided in the XSLT file. localXsltFile is first checked, then contextXsltFile, followed by globalXsltFile. If no XSLT files are configured, default behavior is used.


      <entry type='file|dir' urlPath='aPath' size='###' date='gmt date'>
      <entry type='file|dir' urlPath='aPath' size='###' date='gmt date'>
  • size will be missing if type='dir'
  • Readme is a CDATA entry

The following is a sample xsl file which mimics the default tomcat behavior:

<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet xmlns:xsl=""

  <xsl:output method="html" html-version="5.0"
    encoding="UTF-8" indent="no"

  <xsl:template match="listing">
        Sample Directory Listing For
        <xsl:value-of select="@directory"/>
        h1 {color : white;background-color : #0086b2;}
        h3 {color : white;background-color : #0086b2;}
        body {font-family : sans-serif,Arial,Tahoma;
             color : black;background-color : white;}
        b {color : white;background-color : #0086b2;}
        a {color : black;} HR{color : #0086b2;}
        table td { padding: 5px; }
      <h1>Sample Directory Listing For
            <xsl:value-of select="@directory"/>
      <hr style="height: 1px;" />
      <table style="width: 100%;">
          <th style="text-align: left;">Filename</th>
          <th style="text-align: center;">Size</th>
          <th style="text-align: right;">Last Modified</th>
        <xsl:apply-templates select="entries"/>
      <xsl:apply-templates select="readme"/>
      <hr style="height: 1px;" />
      <h3>Apache Tomcat/9.0</h3>

  <xsl:template match="entries">
    <xsl:apply-templates select="entry"/>

  <xsl:template match="readme">
    <hr style="height: 1px;" />

  <xsl:template match="entry">
      <td style="text-align: left;">
        <xsl:variable name="urlPath" select="@urlPath"/>
        <a href="{$urlPath}">
      <td style="text-align: right;">
        <pre><xsl:value-of select="@size"/></pre>
      <td style="text-align: right;">
        <pre><xsl:value-of select="@date"/></pre>


How do I secure directory listings?

Use web.xml in each individual webapp. See the security section of the Servlet specification.