By: DenisH

DenisH — Mon, 31 Mar 2008 09:05:28 +0000

It turns out that there are a few caveats to using “allowLinking”. First the documentation for the context element for Tomcat 5.5 says: NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.

And second, in the migration documentation from 5.5 to Tomcat 6, it says “When using a shared webhosting environment, it is recommended that usage of context.xml inside a WAR is forbidden (using the deployXML attribute of the Host element)”. Presumably this is because it would allow badly behaved configurations to be loaded?

So, just be aware of these pieces of advice if you are going to use the context.xml and allowLinking.

Comments on: Following symbolic links in Tomcat

By: DenisH