Now that jetty/jetty.project#8259 is fixed and incorporated to Bootique, let's test the issue and change AllowSymLinkAliasChecker back to the default SymlinkAllowedResourceAliasChecker. This would result in better Jetty security and will get rid of the warning in the logs:

WARN o.e.j.s.h.AllowSymLinkAliasChecker: Deprecated, use SymlinkAllowedResourceAliasChecker instead.

Just committed the tests. They start failing once the following line is commented out in the ServerFactory:

contextHandler.setAliasChecks(List.of(new AllowSymLinkAliasChecker()));

Also discovered the fact that Bootique-installed DefaultServlet is immune to this problem because its factory canonicalizes resource base, implicitly resolving symlinks. It only happens when DefaultServlet is added manually with "resourceBase" containing a symlink.

To improve security, we should switch back to the default SymlinkAllowedResourceAliasChecker, and then deal with the rare fallout with one of these approaches:

• Advise users to "canonicalize" their resource bases configured outside of Bootique static servlets API
• Provide explicit API (extender, or likely YAML config) to register known roots with the alias checker