This applies to the default conf/web.xml file and WEB-INF/web.xml files in web applications if they define the components mentioned here.
The DefaultServlet is configured with readonly set to true. Changing this to false allows clients to delete or modify static resources on the server and to upload new resources. This should not normally be changed without requiring authentication.
The DefaultServlet is configured with listings set to false. This isn’t because allowing directory listings is considered unsafe but because generating listings of directories with thousands of files can consume significant CPU leading to a DOS attack.
FailedRequestFilter can be configured and used to reject requests that had errors during request parameter parsing. Without the filter the default behaviour is to ignore invalid or excessive parameters.