You're seeing this behaviour on Windows only, right?
If so, this should be related to the "allowLinking" property, whose default value has been "true" in 9.0.
From 9.1 B51 onwards (and also in the upcoming 9.0 patch release), the default value of this property has been changed to "false", to avoid other security-related issues on Windows in addition to the one you've reported.
To disable this property (and therefore stop honoring symbolic links) in 9.0, set its value to "false" in your webapp's sun-web.xml, as follows:
<sun-web-app>
<property name="allowLinking" value="false"/>
</sun-web-app>
Alternatively, you can specify this property and set it to "false" at the <virtual-server> level in domain.xml, in which case it will apply to all webapps deployed on the virtual server.
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=232091