I seen several recommendation to increase web application security by disabling directory browsing and found vendor specific ways of doing this in, for example, WebLogic and Tomcat.
I take it that there is no vendor-independent way of doing this?
I think that there isn't vendor-independent way to do it. Although I haven't noticed it in servlet spec. What you can do, you can put your protected files under WEB-INF. Or just put index.html into all directories, as almost all vendors uses this file as index/welcome file.