In a web application I needed to serve images from a directory outside of the web application. I wanted to keep the application as unaware of the environment as possible, so I ended up defining a system property in Wildfly’s administration console and creating a servlet that listens to all requests on /avatar/. Anything passed as second atom on the path will be used as the filename. The final version will have to deal with relative paths outside of the allowed area as well. By stripping out any .., in both normal and escaped versions, this should be accomplished.
For now please enjoy my solution to this problem, composed from many resources on the internet.