Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

How to enable serving aliases/symbolic links?

There are two parts to serving aliased files with Jetty: alias detection and then alias serving.

Alias detection

Jetty runs in a mode where all file accesses are checked for aliases, such as case insensitivity, short names, symbolic links and extra characters (Eg %00).

Alias requests are a security problem because web application security constraints are applied with case sensitive URL patterns. For example, if a security constraint is place on a /mySecretFolder/* and alias checking was not implemented then on a win32 system the following requests could retrieve files from that URL:

  • /MySeCrEtFoLdEr/secret.html
  • /mysec~a0.dir/secret.html
  • /mySecretFolder/secret.html%00

File name aliases come in many forms including case insensitivity, VMS version numbers, Unix symbolic links, 8.3 short names, etc. While some of these aliases (eg symbolic links) are deliberate, there is no general way to tell this in portable 100% java.

Jetty detects aliases by comparing the file's absolutePath with its canonicalPath.

Alias detection can be turned off by setting the System Property org.mortbay.util.FileResource.checkAliases to false. If alias checking is not used, then greater care is needed when designing security constraints. It is recomended that a restrictive constraint be applied to a whole subtree of URL space and then selective constraints be applied to relax security only for specific URLs.

Alias serving

By default, Jetty checks for alias and disallows the serving of aliased files. If instead you wish to allow aliased files to be served, then you set the <init-param> called "aliases" to "true" for the org.mortbay.jetty.servlet.DefaultServlet in webdefault.xml:

Code Block
  . . .
  . . .
Contact the core Jetty developers at
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery