By default, for security reasons, Tomcat disallows the use of symbolic links inside of webapps. That is, if you put a symbolic link inside your webapp where Tomcat is serving files, and you request the symlink with a web client, Tomcat will reply with a 404 Not Found error page. For example, if your webapp is named pets-r-us and your server is named mall.example.com and you add a symlink inside your webapp like this:

$ cd $CATALINA_HOME/webapps/pets-r-us
$ ln -s /home/hamster/images images

If your /home/hamster/images directory is readable by the OS user that the Tomcat JVM is running as, you would think Tomcat would serve the images contained in that directory when accessing, for example, http://mall.example.com/pets-r-us/images/hamster1.jpg, but it will not, by default.

If Tomcat did allow symlinks by default, just picture what could happen if a malicious user was able to write a symlink into just one of the many directories of the webapp. The malicious user could add a symlink that would make Tomcat serve any file that is readable by the Tomcat JVM user, and the administrator of the Tomcat instance may not know that these files are being served. Because we don't know in advance which files these files could be, it is best for Tomcat to disallow serving symlinks by default.

If you want to allow Tomcat to serve files through symlinks, you can configure this on a per-webapp basis. To do this, you must configure an explicit Context element for your webapp. You cannot configure ...