10.12 Do not allow symbolic linking

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Symbolic links permit one application to include the libraries from another. This allows for re-use of code but also allows for potential security issues when applications include libraries from other applications to which they should not have access.


Allowing symbolic links makes Tomcat susceptible to directory traversal vulnerability. Also, there is a potential that an application could link to another application to which it should not be linking. On case-insensitive operating systems there is also the threat of source code disclosure.


In all context.xml, set the allowLinking attribute to false:

<Resources ... allowLinking='false' />

Default Value:

By default allowLinking has a value of false.

See Also