HYPERAXE

I found it weird that after all those years that I had been using Tomcat Java Application Server, I had missed its one important security feature - “by default Tomcat does not allow access to symbolic links outside of its web application folder“. 

I just found this out while working on migrating a web site from JBoss to Tomcat, and had to create a symbolic link inside  webapps directory from a folder containing some downloadable files in another directory outside Tomcat. At first I thought there were permission problems, but after a thorough check, I was very sure that all directory and file permissions were correct. Then after playing around, I realized that only the symbolic links are getting the HTTP 404 error. So to solve the problem it was a very simple additional configuration under the conf/context.xml file in which you just need to set allowLinking=”true”:

<Context ... allowLinking=”true”>

...

</Context>

This just works for Tomcat 5.x, and I think on Tomcat 4.x you need to declare a Resource under your context to enable symbolic links access.

I guess this only proves that there’s no such thing as “you know it all”.

This entry was posted on Sunday, August 24th, 2008 at 2:39 pm and is filed under Techno Stuffs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.