Bug: 470790 Fixed alias checking of symlinked directories

examples/embedded/src/main/java/org/eclipse/jetty/embedded/OneWebApp.java

@@ -24,6 +24,8 @@ import java.lang.management.ManagementFactory;
 import org.eclipse.jetty.jmx.MBeanContainer;
 import org.eclipse.jetty.security.HashLoginService;
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.AllowAllVerifier;
+import org.eclipse.jetty.server.handler.AllowSymLinkAliasChecker;
 import org.eclipse.jetty.webapp.WebAppContext;
 
 public class OneWebApp
@@ -51,26 +53,14 @@ public class OneWebApp
         WebAppContext webapp = new WebAppContext();
         webapp.setContextPath("/");
         File warFile = new File(
-                "../../jetty-distribution/target/distribution/demo-base/webapps/test.war");
+                "../../jetty-distribution/target/distribution/test/webapps/test/");
         webapp.setWar(warFile.getAbsolutePath());
+        webapp.addAliasCheck(new AllowSymLinkAliasChecker());
 
         // A WebAppContext is a ContextHandler as well so it needs to be set to
         // the server so it is aware of where to send the appropriate requests.
         server.setHandler(webapp);
 
-        // Configure a LoginService
-        // Since this example is for our test webapp, we need to setup a
-        // LoginService so this shows how to create a very simple hashmap based
-        // one. The name of the LoginService needs to correspond to what is
-        // configured in the webapp's web.xml and since it has a lifecycle of
-        // its own we register it as a bean with the Jetty server object so it
-        // can be started and stopped according to the lifecycle of the server
-        // itself.
-        HashLoginService loginService = new HashLoginService();
-        loginService.setName("Test Realm");
-        loginService.setConfig("src/test/resources/realm.properties");
-        server.addBean(loginService);
-
         // Start things up! 
         server.start();
 

jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java

@@ -51,13 +51,25 @@ public class AllowSymLinkAliasChecker implements AliasCheck
         try
         {
             Path path = pathResource.getPath();
+            Path alias = pathResource.getAliasPath();
+            System.err.printf("getPath=%s%n",path);
+            System.err.printf("getAliasPath=%s%n",alias);
             
             // is the file itself a symlink?
-            if (Files.isSymbolicLink(path) && Files.isSameFile(path,pathResource.getAliasPath()))
+            if (Files.isSymbolicLink(path))
-            {
+            {        
+                alias = path.getParent().resolve(alias);
                 if (LOG.isDebugEnabled())
-                    LOG.debug("Allow symlink {} --> {}",resource,pathResource.getAliasPath());
+                {
-                return true;
+                    LOG.debug("path ={}",path);
+                    LOG.debug("alias={}",alias);
+                }
+                if (Files.isSameFile(path,alias))
+                {
+                    if (LOG.isDebugEnabled())
+                        LOG.debug("Allow symlink {} --> {}",resource,pathResource.getAliasPath());
+                    return true;
+                }
             }
             
             // No, so let's check each element ourselves

jetty-util/src/main/java/org/eclipse/jetty/util/resource/PathResource.java

@@ -381,7 +381,7 @@ public class PathResource extends Resource
     @Override
     public boolean isDirectory()
     {
-        return Files.isDirectory(path,NO_FOLLOW_LINKS);
+        return Files.isDirectory(path,FOLLOW_LINKS);
     }
 
     @Override
@@ -389,7 +389,7 @@ public class PathResource extends Resource
     {
         try
         {
-            FileTime ft = Files.getLastModifiedTime(path,NO_FOLLOW_LINKS);
+            FileTime ft = Files.getLastModifiedTime(path,FOLLOW_LINKS);
             return ft.toMillis();
         }
         catch (IOException e)