There are two parts to serving aliased files with Jetty: alias detection and then alias serving.
Jetty runs in a mode where all file accesses are checked for aliases, such as case insensitivity, short names, symbolic links and extra characters (Eg %00).
Alias requests are a security problem because web application security constraints are applied with case sensitive URL patterns. For example, if a security constraint is place on a /mySecretFolder/* and alias checking was not implemented then on a win32 system the following requests could retrieve files from that URL:
File name aliases come in many forms including case insensitivity, VMS version numbers, Unix symbolic links, 8.3 short names, etc. While some of these aliases (eg symbolic links) are deliberate, there is no general way to tell this in portable 100% java.
Jetty detects aliases by comparing the file's absolutePath with its canonicalPath.
Alias detection can be turned off by setting the System Property
org.mortbay.util.FileResource.checkAliases to false. If alias checking is not used, then greater care is needed when designing security constraints. It is recomended that a restrictive constraint be applied to a whole subtree of URL space and then selective constraints be applied to relax security only for specific URLs.
By default, Jetty checks for alias and disallows the serving of aliased files. If instead you wish to allow aliased files to be served, then you set the <init-param> called "aliases" to "true" for the
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.mortbay.jetty.servlet.DefaultServlet</servlet-class> . . . <init-param> <param-name>aliases</param-name> <param-value>true</param-value> </init-param> . . . <sevlet>