Thanks to Maia for pointing out that my WEB-INF directory on karensrecipes.com and other jsp based sites was accessible.. I was under the (incorrect) impression that Tomcat didn’t allow requests to the WEB-INF directory by default, but apparently it’s something you have to setup in Apache, specifically:

<Location “/WEB-INF/”>
   AllowOverride None
   deny from all
</Location>

Covalent has an excellent support document on properly setting up your Apache and Tomcat installation.