documentation/9.3.0.v20150612/serving-aliased-files.html - www.eclipse.org/jetty - Git at Google

 <html><head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Aliased Files and Symbolic links</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL-NS Stylesheets V1.76.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty : The Definitive Reference"><link rel="up" href="configuring-security.html" title="Chapter&nbsp;7.&nbsp;Configuring Security"><link rel="prev" href="configuring-form-size.html" title="Limiting Form Content"><link rel="next" href="configuring-security-secure-passwords.html" title="Secure Password Obfuscation"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><script type="text/javascript" src="js/shCore.js"></script><script type="text/javascript" src="js/shBrushJava.js"></script><script type="text/javascript" src="js/shBrushXml.js"></script><script type="text/javascript" src="js/shBrushBash.js"></script><script type="text/javascript" src="js/shBrushJScript.js"></script><script type="text/javascript" src="js/shBrushSql.js"></script><script type="text/javascript" src="js/shBrushProperties.js"></script><script type="text/javascript" src="js/shBrushPlain.js"></script><link type="text/css" rel="stylesheet" href="css/shCore.css"><link type="text/css" rel="stylesheet" href="css/shThemeEclipse.css"><link type="text/css" rel="stylesheet" href="css/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
             Version: 9.3.0.v20150612</span></td><td style="width: 50%"><script type="text/javascript">  (function() {
             var cx = '016459005284625897022:obd4lsai2ds';
             var gcse = document.createElement('script');
             gcse.type = 'text/javascript';
             gcse.async = true;
             gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
             '//www.google.com/cse/cse.js?cx=' + cx;
             var s = document.getElementsByTagName('script')[0];
             s.parentNode.insertBefore(gcse, s);
             })();
           </script><gcse:search></gcse:search></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Aliased Files and Symbolic links</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-form-size.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;7.&nbsp;Configuring Security<br><a accesskey="p" href="index.html"><i class="icon-home"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="configuring-security-secure-passwords.html">Next <i class="icon-chevron-right"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
           <span class="website">www.webtide.com</span></a></h5><p>
  private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
  scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
       </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="serving-aliased-files"></a>Aliased Files and Symbolic links</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="serving-aliased-files.html#d0e5877">Good Security Practise</a></span></dt><dt><span class="section"><a href="serving-aliased-files.html#file-alias-detection">Alias detection</a></span></dt><dt><span class="section"><a href="serving-aliased-files.html#file-alias-serving">Serving Aliases and Symbolic Links</a></span></dt></dl></div><p>Web applciations will often server static content from the file system
   provided by the operating system running underneatth the JVM. However
   because file systems often implement multiple aliased names for the same
   file, then security constraints and other servlet URI space mappings my
   inadvertantly be bypassed by aliases.</p><p>I key example of this is case insensitivety and 8.3 names implemented
   by the Windows File system. If a file within a webapplication called
   <code class="code">/mysecretfile.txt</code> is protected by a security constraint on the
   URI <code class="code"> /mysecretfile.txt</code>, then a request to
   <code class="code">/MySecretFile.TXT</code> will not match the URI constraint because
   URIs are case sensitive, but the windows file system will report that a file
   does exist at that name and it will be served despite the security
   constraint. Less well known than case insensitivity is that windows files
   systems also support <a class="link" href="http://en.wikipedia.org/wiki/8.3_filename" target="_top">8.3 filenames</a> for
   compatibility with legacy programs. Thus a request to a URI like
   <code class="code">/MYSECR~1.TXT</code> will again not match the security constraint, but
   will be reported as an existing file by the file system and served.</p><p>There are many examples of aliases, not just on windows:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>NTFS Alternate stream names like
       c:\test\file.txt::$DATA:name</p></li><li class="listitem"><p>OpenVMS support file versionig so that
       <code class="code">/mysecret.txt;N</code> refers to version N of <code class="code">
       /mysecret.txt</code> and is essentially an alias.</p></li><li class="listitem"><p>The clearcase software configuration management system provides a
       file system where @@ in a file name is an alias to a specific
       version.</p></li><li class="listitem"><p>The unix files system supports <code class="code">/./foo.txt</code> as and
       alias for <code class="code">/foo.txt</code></p></li><li class="listitem"><p>Many JVM implementations incorrectly assume the null character is
       a string terminator, so that a file name resulting from
       <code class="code">/foobar.txt%00</code> is an alias for
       <code class="code">/foobar.txt</code></p></li><li class="listitem"><p>Unix symbolic links and hard links are a form of aliases that
       allow the same file or directory to have multiple names.</p></li></ul></div><p>In addition, it is not just URI security constraints that can be
   bypassed. For example the mapping of the URI pattern <code class="code">*.jsp</code> to
   the JSP Servlet may be bypassed by an a request to an alias like <code class="code">
   /foobar.jsp%00</code>, thus rather than execute the JSP, the source code of
   the JSP is returned by the file system.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="d0e5877"></a>Good Security Practise</h3></div></div></div><p>Part of the problem with aliases is that the standard web
     application security model is to allow all requests except the ones that
     are specifically denied by security constraints. A best practise for
     security is to deny all requests and to permit only those that are
     specifically identified as allowable. While it is possible to design web
     application security constraints in this style, it can be difficult in all
     circumstances and it is not the default. Thus it is important for Jetty to
     be able to detect and deny requests to aliased static content.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="file-alias-detection"></a>Alias detection</h3></div></div></div><p>It is impossible for Jetty to know of all the aliases that may be
     implemented by the file system running beneath it, thus it does not
     attempt to make any specific checks for any know aliases. Instead jetty
     detects aliases by using the canonical path of a file. If a file resource
     handled by jetty has a canonical name that differs from the name used to
     request the resource, then Jetty determines that the resource is an
     aliased request and it will not be returned by the
     <code class="code">ServletContext.getResource(String)</code> method (or similar) and
     thus will not be served as static content nor used as the basis of a
     JSP.</p><p>This if Jetty is running on a windows operation system, then a file
     called <code class="code">/MySecret.TXT</code> will have a canonical name that exactly
     matches that case. So while a request to <code class="code">/mysecret.txt</code> or
     <code class="code"> /MYSECR~1.TXT</code> will result in a File Resource that matches
     the file, the different canonical name will indicate that those requests
     are aliases and they will not be served as static content and instead a
     404 response returned.</p><p>Unfortunately this approach denies all aliases, including symbolic
     links, which can be useful in assembling complex web applications.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="file-alias-serving"></a>Serving Aliases and Symbolic Links</h3></div></div></div><p>Not all aliases are bad nor should be seen as attempts to subvert
     security constraints. Specifically symbolic links can be very useful when
     assembling complex web applications, yet by default Jetty will not serve
     them. Thus Jetty contexts support an extensible AliasCheck mechanism to
     allow aliases resources to be inspected an conditionally served. In this
     way, "good" aliases can be detected and served. Jetty provides several
     utility implementations of the AliasCheck interface as nested classes with
     ContextHandler:</p><div class="variablelist"><dl><dt><span class="term">ApproveAliases</span></dt><dd><p>Approve all aliases (USE WITH CAUTION!).</p></dd><dt><span class="term">AllowSymLinkAliasChecker</span></dt><dd><p>Approve Aliases using the java-7 Files.readSymbolicLink(path)
           and Path.toRealPath(...) APIs to check that alias are valid symbolic
           links.</p></dd></dl></div><p>An application is free to implement its own Alias checking. Alias
     Checkers can be installed in a context via the following XML used in a
     context deployer file or <code class="code">WEB-INF/jetty-web.xml</code>:</p><div class="informalexample"><script type="syntaxhighlighter" class="brush: xml;toolbar: false">
           <![CDATA[
   <!-- Allow symbolic links  -->
   <Call name="addAliasCheck">
     <Arg><New class="org.eclipse.jetty.server.handler.AllowSymLinkAliasChecker"/></Arg>
   </Call>
       ]]>
         </script></div></div></div><script type="text/javascript">
       SyntaxHighlighter.all()
     </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-form-size.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="icon-chevron-up"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="configuring-security-secure-passwords.html">Next <i class="icon-chevron-right"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Limiting Form Content&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="icon-home"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Secure Password Obfuscation</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
             See an error or something missing?
             <span class="callout"><a href="http://github.com/jetty-project/jetty-documentation">Contribute to this documentation at
                 <span class="website"><i class="icon-github"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2015-06-15T13:18:16-05:00)</i></span></div></p><script xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" type="text/javascript">
   var _gaq = _gaq || [];
   _gaq.push(['_setAccount', 'UA-1149868-7']);
   _gaq.push(['_trackPageview']);

   (function() {
     var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
     ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
     var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
   })();
     </script></body></html>
	<html><head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>Aliased Files and Symbolic links</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL-NS Stylesheets V1.76.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty : The Definitive Reference"><link rel="up" href="configuring-security.html" title="Chapter 7. Configuring Security"><link rel="prev" href="configuring-form-size.html" title="Limiting Form Content"><link rel="next" href="configuring-security-secure-passwords.html" title="Secure Password Obfuscation"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><script type="text/javascript" src="js/shCore.js"></script><script type="text/javascript" src="js/shBrushJava.js"></script><script type="text/javascript" src="js/shBrushXml.js"></script><script type="text/javascript" src="js/shBrushBash.js"></script><script type="text/javascript" src="js/shBrushJScript.js"></script><script type="text/javascript" src="js/shBrushSql.js"></script><script type="text/javascript" src="js/shBrushProperties.js"></script><script type="text/javascript" src="js/shBrushPlain.js"></script><link type="text/css" rel="stylesheet" href="css/shCore.css"><link type="text/css" rel="stylesheet" href="css/shThemeEclipse.css"><link type="text/css" rel="stylesheet" href="css/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
	Version: 9.3.0.v20150612</span></td><td style="width: 50%"><script type="text/javascript"> (function() {
	var cx = '016459005284625897022:obd4lsai2ds';
	var gcse = document.createElement('script');
	gcse.type = 'text/javascript';
	gcse.async = true;
	gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
	'//www.google.com/cse/cse.js?cx=' + cx;
	var s = document.getElementsByTagName('script')[0];
	s.parentNode.insertBefore(gcse, s);
	})();
	</script><gcse:search></gcse:search></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Aliased Files and Symbolic links</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-form-size.html"><i class="icon-chevron-left"></i> Previous</a> </td><th width="60%" align="center">Chapter 7. Configuring Security<br><a accesskey="p" href="index.html"><i class="icon-home"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-security-secure-passwords.html">Next <i class="icon-chevron-right"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
	<span class="website">www.webtide.com</span></a></h5><p>
	private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
	scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
	</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="serving-aliased-files"></a>Aliased Files and Symbolic links</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="serving-aliased-files.html#d0e5877">Good Security Practise</a></span></dt><dt><span class="section"><a href="serving-aliased-files.html#file-alias-detection">Alias detection</a></span></dt><dt><span class="section"><a href="serving-aliased-files.html#file-alias-serving">Serving Aliases and Symbolic Links</a></span></dt></dl></div><p>Web applciations will often server static content from the file system
	provided by the operating system running underneatth the JVM. However
	because file systems often implement multiple aliased names for the same
	file, then security constraints and other servlet URI space mappings my
	inadvertantly be bypassed by aliases.</p><p>I key example of this is case insensitivety and 8.3 names implemented
	by the Windows File system. If a file within a webapplication called
	<code class="code">/mysecretfile.txt</code> is protected by a security constraint on the
	URI <code class="code"> /mysecretfile.txt</code>, then a request to
	<code class="code">/MySecretFile.TXT</code> will not match the URI constraint because
	URIs are case sensitive, but the windows file system will report that a file
	does exist at that name and it will be served despite the security
	constraint. Less well known than case insensitivity is that windows files
	systems also support <a class="link" href="http://en.wikipedia.org/wiki/8.3_filename" target="_top">8.3 filenames</a> for
	compatibility with legacy programs. Thus a request to a URI like
	<code class="code">/MYSECR~1.TXT</code> will again not match the security constraint, but
	will be reported as an existing file by the file system and served.</p><p>There are many examples of aliases, not just on windows:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>NTFS Alternate stream names like
	c:\test\file.txt::$DATA:name</p></li><li class="listitem"><p>OpenVMS support file versionig so that
	<code class="code">/mysecret.txt;N</code> refers to version N of <code class="code">
	/mysecret.txt</code> and is essentially an alias.</p></li><li class="listitem"><p>The clearcase software configuration management system provides a
	file system where @@ in a file name is an alias to a specific
	version.</p></li><li class="listitem"><p>The unix files system supports <code class="code">/./foo.txt</code> as and
	alias for <code class="code">/foo.txt</code></p></li><li class="listitem"><p>Many JVM implementations incorrectly assume the null character is
	a string terminator, so that a file name resulting from
	<code class="code">/foobar.txt%00</code> is an alias for
	<code class="code">/foobar.txt</code></p></li><li class="listitem"><p>Unix symbolic links and hard links are a form of aliases that
	allow the same file or directory to have multiple names.</p></li></ul></div><p>In addition, it is not just URI security constraints that can be
	bypassed. For example the mapping of the URI pattern <code class="code">*.jsp</code> to
	the JSP Servlet may be bypassed by an a request to an alias like <code class="code">
	/foobar.jsp%00</code>, thus rather than execute the JSP, the source code of
	the JSP is returned by the file system.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="d0e5877"></a>Good Security Practise</h3></div></div></div><p>Part of the problem with aliases is that the standard web
	application security model is to allow all requests except the ones that
	are specifically denied by security constraints. A best practise for
	security is to deny all requests and to permit only those that are
	specifically identified as allowable. While it is possible to design web
	application security constraints in this style, it can be difficult in all
	circumstances and it is not the default. Thus it is important for Jetty to
	be able to detect and deny requests to aliased static content.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="file-alias-detection"></a>Alias detection</h3></div></div></div><p>It is impossible for Jetty to know of all the aliases that may be
	implemented by the file system running beneath it, thus it does not
	attempt to make any specific checks for any know aliases. Instead jetty
	detects aliases by using the canonical path of a file. If a file resource
	handled by jetty has a canonical name that differs from the name used to
	request the resource, then Jetty determines that the resource is an
	aliased request and it will not be returned by the
	<code class="code">ServletContext.getResource(String)</code> method (or similar) and
	thus will not be served as static content nor used as the basis of a
	JSP.</p><p>This if Jetty is running on a windows operation system, then a file
	called <code class="code">/MySecret.TXT</code> will have a canonical name that exactly
	matches that case. So while a request to <code class="code">/mysecret.txt</code> or
	<code class="code"> /MYSECR~1.TXT</code> will result in a File Resource that matches
	the file, the different canonical name will indicate that those requests
	are aliases and they will not be served as static content and instead a
	404 response returned.</p><p>Unfortunately this approach denies all aliases, including symbolic
	links, which can be useful in assembling complex web applications.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="file-alias-serving"></a>Serving Aliases and Symbolic Links</h3></div></div></div><p>Not all aliases are bad nor should be seen as attempts to subvert
	security constraints. Specifically symbolic links can be very useful when
	assembling complex web applications, yet by default Jetty will not serve
	them. Thus Jetty contexts support an extensible AliasCheck mechanism to
	allow aliases resources to be inspected an conditionally served. In this
	way, "good" aliases can be detected and served. Jetty provides several
	utility implementations of the AliasCheck interface as nested classes with
	ContextHandler:</p><div class="variablelist"><dl><dt><span class="term">ApproveAliases</span></dt><dd><p>Approve all aliases (USE WITH CAUTION!).</p></dd><dt><span class="term">AllowSymLinkAliasChecker</span></dt><dd><p>Approve Aliases using the java-7 Files.readSymbolicLink(path)
	and Path.toRealPath(...) APIs to check that alias are valid symbolic
	links.</p></dd></dl></div><p>An application is free to implement its own Alias checking. Alias
	Checkers can be installed in a context via the following XML used in a
	context deployer file or <code class="code">WEB-INF/jetty-web.xml</code>:</p><div class="informalexample"><script type="syntaxhighlighter" class="brush: xml;toolbar: false">
	<![CDATA[
	<!-- Allow symbolic links -->
	<Call name="addAliasCheck">
	<Arg><New class="org.eclipse.jetty.server.handler.AllowSymLinkAliasChecker"/></Arg>
	</Call>
	]]>
	</script></div></div></div><script type="text/javascript">
	SyntaxHighlighter.all()
	</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-form-size.html"><i class="icon-chevron-left"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="icon-chevron-up"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-security-secure-passwords.html">Next <i class="icon-chevron-right"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Limiting Form Content </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="icon-home"></i> Home</a></td><td width="40%" align="right" valign="top"> Secure Password Obfuscation</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
	See an error or something missing?
	<span class="callout"><a href="http://github.com/jetty-project/jetty-documentation">Contribute to this documentation at
	<span class="website"><i class="icon-github"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2015-06-15T13:18:16-05:00)</i></span></div></p><script xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" type="text/javascript">
	var _gaq = _gaq \|\| [];
	_gaq.push(['_setAccount', 'UA-1149868-7']);
	_gaq.push(['_trackPageview']);

	(function() {
	var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
	ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
	var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
	})();
	</script></body></html>