The intention of the AliasChecker change was not to break the usage of symlinks but to improve safety. The fact that you have experienced a change in behaviour probably means there is a bug in the new SymlinkAllowedResourceAliasChecker implementation.
For now you should be able to revert to the previous behaviour by adding the AllowSymLinkAliasChecker which has now been deprecated. But we will try to get a fix out in the upcoming 10.0.8 release.
Th symbolic link helps us (among other things) to use the same
configuration properties in various development and testing
environments as we use in most production environments. I manually
modified one development configuration to not use the symbolic link
and upgraded it to Jetty 10.0.7. And as you expected that does work
correctly.
Can you explain to me what the issue is with having symbolic links
in paths and what the consequence would be if I turned off this
behavior in production? I would expect symbolic links in paths to be
transparent to the application.
Kind regards,
Silvio
On 11/29/21 00:53, Lachlan Roberts
wrote:
Hi Silvio,
Do you have
any symlink in the path to these static resources? If so, this
could be related to the AliasChecker changes. You can test if
this is related to the AliasCheckers by adding the
`ContextHandler.ApproveAliases` to the `ContextHandler` and
see if you still get the 404's. But even if this fixes it, do
not add `ContextHandler.ApproveAliases` to your production
code.
Would you be
able to post a simple reproducer that works on 10.0.6 but not
on 10.0.7?
I use an embedded Jetty 10 server. My server setup code adds a
number of
ContextHandlers that each wrap a ResourceHandler to server
static
content on paths like /images and /scripts etc. Finally a
single
ServletContextHandler that wraps a ServletHolder is added at /
to handle
all other requests.
This same setup code has been used through various Jetty
versions (with
some slight modifications for major version jumps) and has
worked fine
up until Jetty 10.0.6. But starting from Jetty 10.0.7 it no
longer works
because requests for the static contents all result in 404
errors.
Did anything change in the 10.0.7 release that could explain
this? I did
not see anything in the change log that sounds remotely
related but I
could be wrong.