Still not sure what you're gettin at. A J2EE server is just a regular server, it serves files, except those files are written or somehow associated with Java. What you've got probably has a standard web (HTTP) server tied into it also, which allows it to serve HTML pages and stuff. That's also how it converts the Java stuff into something people's browsers can interpret. There's a document root, where all the files have to reside. So when you make a request for /index.html, it looks inside this directory for the file named index.html and serves it up. That's not insecure...that's how they work.