The security risk are relatively minor if you have control over who can update your webapp. An example of a problem (if you aren't using a sandbox) would be somebody deciding to do "ln -s /etc/passwd" within $CATALINA_HOME/webapps/ROOT (and letting the entire world know what user accounts are on your box).
The alternative (since you are using Apache) is to place the images/stylesheets into directories outside of the webapp, and known only to Apache. i.e. have a huge directory with all of your stylesheets and do something like: <link rel="stylesheet" type="text/css" href="/styles/myStyle.css"> or even: <link rel="stylesheet" type="text/css" href="/styles<%= request.getContextPath() %>/myStyle.css"> "Denise Mangano" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Ok sorry for that. Finally got the right answer from the archives. > Apparently symlinks have been disabled since 4.1.12 for security reasons. I > noticed in the archives that it was suggested to set the allowLinking in my > server.xml file be enough? > > <Resources className="org.apache.naming.resources.FileDirContext" > allowLinking="true" docBase="" /> > > But if it was disabled for security reasons, then doesn't enabling it make > me susceptible to those same security risks? > > Can anyone suggest an alternative solution without having multiple > images/styles directories? I read something about setting up a Context for > these directories. Is that the path I should explore? > > Sorry to ask what seems to have been asked many times before, just trying to > get pointed in the right direction :) > > Thanks! > Denise > > > -----Original Message----- > From: Denise Mangano [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 03, 2003 11:59 PM > To: 'Tomcat Users List' > Subject: Using symlinks in webapps > > > I have read in some of the archives that using symlinks in tomcat cannot be > done? Is this true, or is it just not the preferred way to handle it? > > The problem that I am encountering is that my application uses Apache and > Tomcat, as well as a third party application. Instead of having 3 different > directories with the same images & style sheet and having to update images > in 3 places I set up one main images folder and one main style folder on the > Apache server, and set up symlinks to these folders everywhere else. From > within my Tomcat web app my images and styles are not working. I have all > the proper JkMount statements, and the images & style sheets do exist in the > specified location. > > I am looking further into this problem, but just wanted to run it by the > list to see whether or not symlinks are definitely not supported so I don't > go nuts trying to solve something that can't possibly work. > > Thanks! > Denise > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]