Symlinks cause 404 with DefaultServlet when its "resourceBase" is different from ContextHandler's

[andrus]

Jetty version(s)

10.0.11 ... This worked on 9.x

Java version/vendor (use: java -version)

openjdk version "11.0.14.1" 2022-02-08

OS type/version

Mac OS 12.4

Description

The problem: DefaultServlet can't serve files located in symlinked directories if its resource base is different from its parent ContextHandler.

I am running Jetty with Bootique Framework. ContextHandler has no "resourceBase" set. There is a DefaultServlet that has "resourceBase" set to say /opt/p/c. If /opt/p/c are all regular folders, I can serve static files from this path via the DefaultServlet. If c is a symlink to a folder outside of p, I am getting a 404. Debugging shows that the culprit is alias checking by SymlinkAllowedResourceAliasChecker.

Workaround 1: setting ContextHandler.resourceBase to /opt/p/c makes things work again. This isn't always applicable, as I may have multiple DefaultServlets pointing to different folders on the filesystem.
Workaround 2: Using deprecated AllowSymLinkAliasChecker :

contextHandler.setAliasChecks(List.of(new AllowSymLinkAliasChecker()));

Desired behavior: in SymlinkAllowedResourceAliasChecker make alias checking to work relative to the DefaultServlet base.

[joakime]

If you have a ContextHandler (or WebAppContext) resourceBase set, then the actual DefaultServlet (on url-pattern / with name default) should be using that exclusively.

If you want another DefaultServlet, not on the usual servlet default requirement, then you can specify extra DefaultServlet's to then have a resourceBase declared for each.

There's examples of this at https://github.com/jetty-project/embedded-jetty-cookbook/blob/jetty-10.0.x/src/main/java/org/eclipse/jetty/cookbook/DefaultServletMultipleBases.java

[andrus]

@joakime

If you want another DefaultServlet, not on the usual servlet default requirement, then you can specify extra DefaultServlet's to then have a resourceBase declared for each.

Yep, this is what I do (my DefaultServlet is mapped to "/asset/*", ContextHandler resource base is not set). But due to symlinks in the servlet's resource base, it stopped working after upgrading from Jetty 9 to 10. That's the problem that I described above.

[joakime]

Please set server.setDumpAfterStart(true); and copy/paste the results of that output here.
There's something not clear from your explanation, the output state of your started server should reveal the truth of what you have.

[joakime]

Desired behavior: in SymlinkAllowedResourceAliasChecker make alias checking to work relative to the DefaultServlet base.

That is correct, AliasChecking is done for the case of a discovered Resource for a requested resource against your declared Resource Base.

If you have multiple Resource bases, then the Alias Checking built into Jetty is not able to satisfy your ruleset. You will need to implement your own org.eclipse.jetty.server.handler.ContextHandler.AliasCheck that can handle your multiple bases, based on your own ruleset for your non-standard configuration.

If you choose to use a single Resource Base, but with multiple entries declared, use the org.eclipse.jetty.util.resource.ResourceCollection class to hold multiple Resource bases, then you have the option to use AllowedResourceAliasChecker, which supports this configuration.

[andrus]

Please set server.setDumpAfterStart(true); and copy/paste the results of that output here

I should be able to provide these details next week.

If you have multiple Resource bases, then the Alias Checking built into Jetty is not able to satisfy your ruleset.

I theory, yes. E.g. a Bootique app may have 2 DefaultServlets, one serving files from the classpath (i.e. packaged in the app jar), and another - from a folder on the filesystem (some examples given here).

Wrong class, this one doesn't do what you think. There's a reason it's deprecated, that class is basically an "always true" implementation.

So that explains why it worked in Jetty 9 :)

If you choose to use a single Resource Base, but with multiple entries declared, use the org.eclipse.jetty.util.resource.ResourceCollection

Let me check it out.

[andrus]

Here is the startup dump sanitized from the organization specific data.
dump.txt

[lachlan-roberts]

@andrus In PR #8315 I have added a new constructor SymlinkAllowedResourceAliasChecker(ContextHandler contextHandler, Resource baseResource) which will allow you to configure multiple SymlinkAllowedResourceAliasCheckers with different Resource bases.

You can see this test as an example
https://github.com/eclipse/jetty.project/blob/110896b4d1b26698f4a72912d1ef8527156d3ac7/tests/test-integration/src/test/java/org/eclipse/jetty/test/AliasCheckerMultipleResourceBasesTest.java#L122-L135

This will be released with a 10.0.12/11.0.12 version.

[andrus]

Looking forward the 10.0.12/11.0.12 releases. Thanks!