i have a web application which stores users file in directory which is under webroot directory..

Suppose web application is under 'fileupload' and all files are getting stored in 'xyz' folder under 'fileupload' so now if user points to url say like

www.xyzpqr.com/fileupload/xyz/abc.doc, he gets that file.

How do i restirct this from happening.. i have thought of putting xyz folder in WeB-inf folder but as my application is very big i have to made changes at too many places.. so is there any way so that without moving the folder to web-inf (restricted folders) i can achieve wat i want..