When running on an OS which does not have a case sensitive filesystem (i.e. Windows), you must not run with the "allowLinking" options turned on:  https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html  Running in this environment with this setting set to true, sensitive files like those located in the META-INF can be exposed with the properly formatted browser request.

This setting is located in your context.xml - i.e. "<Resources allowLinking="true" />"