I don't know if this has been raised before, but the following excerpt from the most recent SANS security alert concensus made me think: ---------- Forwarded message ---------- [...] --> {00.31.014} Apache TomCat leaks system information Apache's TomCat server has been found to provide various types of system information to an attacker-such as full system paths being displayed in error messages. TomCat also comes with the "snoop" servlet, which provides even more detailed information about the system when invoked. ---------------------------------------- Obviously the 'snoop' servlet is the reason this was posted, but still, they are calling full path information a security leak. Not perhaps something to put high on a priority list, but should there be a way to prevent full path information from appearing in error messages? It would have the side benefit of making the error messages more readable <grin>. --RDM