The security risk are relatively minor if you have control over who can
update your webapp. An example of a problem (if you aren't using a sandbox)
would be somebody deciding to do "ln -s /etc/passwd" within
$CATALINA_HOME/webapps/ROOT (and letting the entire world know what user
accounts are on your box).
The alternative (since you are using Apache) is to place the
images/stylesheets into directories outside of the webapp, and known only to
Apache. i.e. have a huge directory with all of your stylesheets and do
something like:
<link rel="stylesheet" type="text/css" href="/styles/myStyle.css">
or even:
<link rel="stylesheet" type="text/css"
href="/styles<%= request.getContextPath() %>/myStyle.css">
"Denise Mangano" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Ok sorry for that. Finally got the right answer from the archives.
> Apparently symlinks have been disabled since 4.1.12 for security reasons.
I
> noticed in the archives that it was suggested to set the allowLinking in
my
> server.xml file be enough?
>
> <Resources className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" docBase="" />
>
> But if it was disabled for security reasons, then doesn't enabling it make
> me susceptible to those same security risks?
>
> Can anyone suggest an alternative solution without having multiple
> images/styles directories? I read something about setting up a Context
for
> these directories. Is that the path I should explore?
>
> Sorry to ask what seems to have been asked many times before, just trying
to
> get pointed in the right direction :)
>
> Thanks!
> Denise
>
>
> -----Original Message-----
> From: Denise Mangano [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 03, 2003 11:59 PM
> To: 'Tomcat Users List'
> Subject: Using symlinks in webapps
>
>
> I have read in some of the archives that using symlinks in tomcat cannot
be
> done? Is this true, or is it just not the preferred way to handle it?
>
> The problem that I am encountering is that my application uses Apache and
> Tomcat, as well as a third party application. Instead of having 3
different
> directories with the same images & style sheet and having to update images
> in 3 places I set up one main images folder and one main style folder on
the
> Apache server, and set up symlinks to these folders everywhere else. From
> within my Tomcat web app my images and styles are not working. I have all
> the proper JkMount statements, and the images & style sheets do exist in
the
> specified location.
>
> I am looking further into this problem, but just wanted to run it by the
> list to see whether or not symlinks are definitely not supported so I
don't
> go nuts trying to solve something that can't possibly work.
>
> Thanks!
> Denise
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
