You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Léa Massiot <lm...@orange.fr> on 2011/09/30 20:37:46 UTC

WebApps sharing uploaded files

Hello,

Thank you for reading my post.

o I have two WebApps "w1" and "w2" (under the Tomcat "webapps" directory).
o Both "w1" and "w2" contain (at least) a JSP which allows to upload files
to the server.
o Presently, the uploaded files are stored:
- in the "w1\uf1\" directory for "w1",
- in the "w2\uf2\" directory for "w2".
(So: each WebApp has its own directory for uploaded files storage).
=> I need the two Webapps to store their uploaded files in the same
directory, say "uf".

Let's say that: 
- we have created "uf" somewhere (where?),
- "uf" contains a successfully uploaded file "f.txt",
- I have a JSP "foo_1.jsp" in "w1" and a JSP "foo_2.jsp" in "w2".

I'd like:
- to put an anchor in "foo_1.jsp" which links to "f.txt".
----------------------------------------------------------------------
< a href="?_1/f.txt">Link 1</ a>
----------------------------------------------------------------------
- to put an anchor in "foo_2.jsp" which links to "f.txt".
----------------------------------------------------------------------
< a href="?_2/f.txt">Link 2</ a>
----------------------------------------------------------------------
(I want the files to open properly when the each link is clicked).

1) If it's possible, where shall I create "uf"?
2) What shall I replace "?_1" and the "?_2" with in the "href" anchor
properties?

Please help me.
Best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32570911.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello Tim,
Ok.
- I have only one copy of "f.txt".
- "uf1" and "uf2" are two distinct directories, the first in "w1", the
second in "w2".
- I have one JSP (same code) but two copies of it, the first in "w1", the
second in "w2".
"f.txt" either lives under "uf1" xor "uf2".
Maybe I'm not clear enough... but that's basically what I was trying to
do...
Thank you for your interest,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32584132.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Tim Watts <ti...@cliftonfarm.org>.

It does? Doesn't that mean you have two distinct copies of f.txt? I
thought that's what you were trying to avoid. Or are uf1 and uf2 aliases
for the same directory? Or was your goal really to have one JSP that
would work in w1 and w2?


On Mon, 2011-10-03 at 10:15 -0700, Léa Massiot wrote:
> Hello,
> 
> I solved my problem:
> 1) in WebApp "w1", upload files to the directory "w1\uf1\",
> 2) in WebApp "w2", upload files to the directory "w1\uf2\",
> 3) then you can have the same JSP "foo.jsp" for both WebApps.
> Put one JSP in "w1" and another one in "w2".
> The JSP itself contains a switch:
> --------------------------------------------------------
> <c:choose>
> 	<c:when test="<a_test>">
> 		< a href="/w1/uf1/f.txt">Link 1</ a>
> 	</c:when>
> 	<c:otherwise>
> 		< a href="/w2/uf2/f.txt">Link 2</ a>
> 	</c:otherwise>
> </c:choose>
> --------------------------------------------------------
> 
> Best regards,
> --
> Léa



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by André Warnier <aw...@ice-sa.com>.

Léa Massiot wrote:
...

> What's interesting is that, in the same servlets container, one WebApp "has
> access" to another WebApp through "/w1/uf1/f.txt" "/w2/uf2/f.txt" type of
> addressing.
> 
That's only because you look at it the wrong way.
It is not that "one webapp has access to another webapp", it is that the user's browser 
has (apparently) access to both webapps.
By the time one of these links gets used, it is because the html page is loaded by the 
user's browser, the user clicks on one of the links, and the browser sends a new request 
to the server.  What happens then is only a matter of the server deciding if this request, 
coming from that browser connection, is allowed to access the requested resource.
If you add an authentication requirement in one of these webapps, and not in the other, 
you will see the difference.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello André,

> Do you mean that you are going to create a new JSP for every new file
> someone may ever upload?
No...

> Or do they always upload the same file "f.txt"? 
No...

I understand your being puzzled... my bad:
the example I posted is oversimple but it works if tested!

In reality, the "c:choose" is "dynamic" in the JSPs:
it is part of a loop which loops through a dynamic list of attachments.

And yes you're right, contrary to my original description,
there is not a unique "uf" directory storing both the attachments of "w1"
and those of "w2".
Some attachments are in "w1\uf1", all the others are in "w2\uf2" (it's a
partition).

That solution is quite good because:
- there are no file duplicates,
- the JSPs are the same,
- I just need a switch inside of them to pick the attachments in the right
directory according to a test.
What's interesting is that, in the same servlets container, one WebApp "has
access" to another WebApp through "/w1/uf1/f.txt" "/w2/uf2/f.txt" type of
addressing.

Thank you for your interest and best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32587503.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello André,

> Do you mean that you are going to create a new JSP for every new file
> someone may ever upload?
No...

> Or do they always upload the same file "f.txt"? 
No...

I understand your being puzzled... my bad:
the example I posted is oversimple but it works if tested!

In reality, the "c:choose" is "dynamic" in the JSPs:
it is part of a loop which loops through a dynamic list of attachments.

And yes you're right, contrary to my original description,
there is not a unique "uf" directory storing both the attachments of "w1"
and those of "w2".
Some attachments are in "w1\uf1", all the others are in "w2\uf2" (it's a
partition).

That solution is quite good because:
- there are no file duplicates,
- the JSPs are the same,
- I just need a switch inside of them to pick the attachments in the right
directory according to a test.
What's interesting is that, in the same servlets container, one WebApp "has
access" to another WebApp through "/w1/uf1/f.txt" "/w2/uf2/f.txt" type of
addressing.

Thank you for your interest and best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32587506.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by André Warnier <aw...@ice-sa.com>.

Léa Massiot wrote:
> Hello,
> 
> I solved my problem:
> 1) in WebApp "w1", upload files to the directory "w1\uf1\",
> 2) in WebApp "w2", upload files to the directory "w1\uf2\",
> 3) then you can have the same JSP "foo.jsp" for both WebApps.
> Put one JSP in "w1" and another one in "w2".
> The JSP itself contains a switch:
> --------------------------------------------------------
> <c:choose>
> 	<c:when test="<a_test>">
> 		< a href="/w1/uf1/f.txt">Link 1</ a>
> 	</c:when>
> 	<c:otherwise>
> 		< a href="/w2/uf2/f.txt">Link 2</ a>
> 	</c:otherwise>
> </c:choose>
> --------------------------------------------------------
> 
 From your original description (post of 30/09) I am a bit puzzled as to how this resolves 
your problem.  Do you mean that you are going to create a new JSP for every new file 
someone may ever upload ? Or do they always upload the same file "f.txt" ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello,

I solved my problem:
1) in WebApp "w1", upload files to the directory "w1\uf1\",
2) in WebApp "w2", upload files to the directory "w1\uf2\",
3) then you can have the same JSP "foo.jsp" for both WebApps.
Put one JSP in "w1" and another one in "w2".
The JSP itself contains a switch:
--------------------------------------------------------
<c:choose>
	<c:when test="<a_test>">
		< a href="/w1/uf1/f.txt">Link 1</ a>
	</c:when>
	<c:otherwise>
		< a href="/w2/uf2/f.txt">Link 2</ a>
	</c:otherwise>
</c:choose>
--------------------------------------------------------

Best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32583746.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello.
Ok. I found what I was doing wrong and corrected my mistake:
added "/w1" at the beginning of the "href" attribute value. See below:

2.C) test_download.html

<html>
  <head>
    <title>Test download</title>
  </head>
  <body>
     /w1/attachments/foo.txt Foo.txt 
  </body>
</html>

Now it works!
Best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32596196.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello.
Ok. I found what I was doing wrong and corrected my mistake:
added "/w1" at the beginning of the "href" attribute value. See below:

2.C) test_download.html

<html>
  <head>
    <title>Test download</title>
  </head>
  <body>
     /w1/attachments/foo.txt Foo.txt 
  </body>
</html>

Now it works!
Best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32596193.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

chris wrote:
> 
> Be careful: if you undeploy the webapp, you will have all those files
> deleted by Tomcat.
> 
Ok. Thank you!

André wrote:
> 
> Thanks. Seen.  Lea, do you follow ? 
> 
Yes, thanks!

Ok. 
I do not properly understand the doc.:
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

1) "aliases" is an attribute. Is it an attribute of the "Context" element?

2) I have a "context.xml" file in "META-INF" in both "w1" and "w2". I have
tried:

2.A) context.xml

<?xml version='1.0' encoding='utf-8'?>
<Context aliases="/attachments=C:\somewhere_1\somewhere_2\somewhere_3">
  [...]
</Context>

2.B) I've created a "foo.txt" file in the directory
"C:\somewhere_1\somewhere_2\somewhere_3\"

2.C) test_download.html

<html>
  <head>
    <title>Test download</title>
  </head>
  <body>
     /attachments/foo.txt Foo.txt 
  </body>
</html>

When I click the link, I get a 404 error:

HTTP Status 404 - /attachments/foo.txt
type Status report
message /attachments/foo.txt
description The requested resource (/attachments/foo.txt) is not available.

What am I doing wrong?

Thank you and best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32595832.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 10/4/2011 1:56 PM, André Warnier wrote:
> quote
> 
> allowLinking
> 
> If the value of this flag is true, symlinks will be allowed inside
> the web application, pointing to resources outside the web
> application base path. If not specified, the default value of the
> flag is false.
> 
> NOTE: This flag MUST NOT be set to true on the Windows platform (or
> any other OS which does not have a case sensitive filesystem), as
> it will disable case sensitivity checks, allowing JSP source code
> disclosure, among other security problems.
> 
> unquote
> 
> Is this second paragraph really well-placed there ? Does
> allowLinking really influence case-sensitivity ?

I'm not sure. I think, on Windows, links (like "My Link.lnk") need to
be processed separately, and, of course, case cannot be considered
significant on FAT and NTFS. There are other kinds of symlinks (not
"My Link.lnk") available on NTFS, but I'm not sure of their semantics.

Also note that allowLinking can cause problems with Tomcat's
slash-and-burn policy when undeploying webapps on *NIX (and possibly
on Windows as well).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6LWRAACgkQ9CaO5/Lv0PDJuwCfeZaBGYgxrrZ4cn4RHiJIspUW
sqQAnjX5JykypI8V11aR1CmhDp2Fern2
=xaSN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by ma...@apache.org.

"André Warnier" <aw...@ice-sa.com> wrote:

>Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> André,
>> 
>> On 10/4/2011 1:31 PM, André Warnier wrote:
>>> Or, wasn't there a possibility to place a symlink within the
>>> webapps dir, and have Tomcat /not/ following it when undeploying ?
>>> Or was that precisely the catch, that it always does ?
>> 
>> Look for "aliases":
>> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
>> 
>Thanks. Seen.  Lea, do you follow ?
>
>By the way, in that same page, the next item is :
>
>quote
>
>allowLinking	
>
>If the value of this flag is true, symlinks will be allowed inside the
>web application, 
>pointing to resources outside the web application base path. If not
>specified, the default 
>value of the flag is false.
>
>NOTE: This flag MUST NOT be set to true on the Windows platform (or any
>other OS which 
>does not have a case sensitive filesystem), as it will disable case
>sensitivity checks, 
>allowing JSP source code disclosure, among other security problems.
>
>unquote
>
>Is this second paragraph really well-placed there ?

Yes.

>Does allowLinking really influence case-sensitivity ?

Yes.

Mark





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello.
Ok. I found what I was doing wrong and corrected my mistake:
added "/w1" at the beginning of the "href" attribute value. See below:

2.C) test_download.html

<html>
  <head>
    <title>Test download</title>
  </head>
  <body>
     /w1/attachments/foo.txt Foo.txt 
  </body>
</html>

Now it works!
Best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32596195.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by André Warnier <aw...@ice-sa.com>.

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> André,
> 
> On 10/4/2011 1:31 PM, André Warnier wrote:
>> Or, wasn't there a possibility to place a symlink within the
>> webapps dir, and have Tomcat /not/ following it when undeploying ?
>> Or was that precisely the catch, that it always does ?
> 
> Look for "aliases":
> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
> 
Thanks. Seen.  Lea, do you follow ?

By the way, in that same page, the next item is :

quote

allowLinking	

If the value of this flag is true, symlinks will be allowed inside the web application, 
pointing to resources outside the web application base path. If not specified, the default 
value of the flag is false.

NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which 
does not have a case sensitive filesystem), as it will disable case sensitivity checks, 
allowing JSP source code disclosure, among other security problems.

unquote

Is this second paragraph really well-placed there ?
Does allowLinking really influence case-sensitivity ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 10/4/2011 1:31 PM, André Warnier wrote:
> Or, wasn't there a possibility to place a symlink within the
> webapps dir, and have Tomcat /not/ following it when undeploying ?
> Or was that precisely the catch, that it always does ?

Look for "aliases":
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6LRTgACgkQ9CaO5/Lv0PCTYQCgjwa6es45TZpcKXDdJAF7ZJcx
ldgAnRUp90hvnuk3J9zJQ9sg8GK0vmWD
=k2fm
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by André Warnier <aw...@ice-sa.com>.

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Léa,
> 
> On 9/30/2011 2:37 PM, Léa Massiot wrote:
>> o I have two WebApps "w1" and "w2" (under the Tomcat "webapps"
>> directory). o Both "w1" and "w2" contain (at least) a JSP which
>> allows to upload files to the server. o Presently, the uploaded
>> files are stored: - in the "w1\uf1\" directory for "w1", - in the
>> "w2\uf2\" directory for "w2".
> 
> Be careful: if you undeploy the webapp, you will have all those files
> deleted by Tomcat.
> 
> I highly recommend that you place your "upload" directory or
> directories safely /outside/ of Tomcat's webapps directory to avoid
> any possibility of Tomcat deleting those files.
> 
Right. But then, Lea's simple scheme for download will stop working.
Damn..

Or, wasn't there a possibility to place a symlink within the webapps dir, and have Tomcat 
/not/ following it when undeploying ? Or was that precisely the catch, that it always does ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Léa,

On 9/30/2011 2:37 PM, Léa Massiot wrote:
> o I have two WebApps "w1" and "w2" (under the Tomcat "webapps"
> directory). o Both "w1" and "w2" contain (at least) a JSP which
> allows to upload files to the server. o Presently, the uploaded
> files are stored: - in the "w1\uf1\" directory for "w1", - in the
> "w2\uf2\" directory for "w2".

Be careful: if you undeploy the webapp, you will have all those files
deleted by Tomcat.

I highly recommend that you place your "upload" directory or
directories safely /outside/ of Tomcat's webapps directory to avoid
any possibility of Tomcat deleting those files.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6LK3cACgkQ9CaO5/Lv0PBS+gCeJyiZGOqJzB4d3lGH2puGoWAu
fhEAn3qEv8wZZT2+UcAKEZR38eXMZWtW
=Tmhq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello André,
Thank you for all these useful advices.
Best regards,
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32582797.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by André Warnier <aw...@ice-sa.com>.

Léa Massiot wrote:
> Hello André,
> 
> Thank you for your answer.
> 
> awarnier wrote:
>> You can define "uf" wherever you want, as long as Tomcat (and the
>> applications 
>> which run under it, like your JSPs) has write access to it.
>>
> 
> Actually, I already noticed and tried that and my first question is closely
> linked to my second question about "href"s... (Questions 1) and 2) aren't
> really two separate questions.)
> 
> Thank you for your two interesting suggestions:
> - creating some kind of "downloader" servlet,
> - WebDAV which I know nothing about.
> 
> This is not an academic project.
> I just made a schematic picture of the situation.
> 
Ok. Then,

- DAV is a protocol (an extension to HTTP) which allows a client to upload and download 
files to/from a webserver (and also browse webserver directories) over a HTTP connection. 
  There are DAV clients available for most platforms (Windows, Mac,..).  Under Windows, 
what MS calls "web folders" is a DAV client integrated in the Windows (disk) Explorer.

- before inventing your own scheme, look around to see if there are not already 
applications which do that.  It is more complex than you may think, and there is no need 
to re-invent the wheel.

If you provide some additional details about what your application is supposed to do, 
maybe someone here can orient you to some existing application.

If you insist in creating your own application to do this, then a couple of basic notes :

Think first about security.  You are going to allow people to write to your server's 
disks, so be careful.  Everything a client sends should be considered as suspect until 
proven otherwise.
For example :
- Force clients to authenticate before they can upload files, and log what they do.
- Do not allow a client to upload files to your server wherever it wants.  For example, if 
the client can specify the filename, don't allow them to specify things like 
"../../../etc/passwd".
- Do not use the filename supplied by the client as a part of any command that you run on 
the server, unless you are /absolutely/ sure that it is only an innocent filename.
- Upload the files to a location where Tomcat has read/write access, and /only/ Tomcat has 
access.
- Make sure that there is no way that anyone can tell any program on your server to 
/execute/ any uploaded file.
- better: do not use the filename that clients specify, as the filename under which you 
really write the file on the server.  First, people give all kinds of silly names to 
files, including spaces and other characters that can give you problems (think "& | > <" 
e.g.).  Second, people will use the same name for different files, and you'll end up 
overwriting stuff.
So on the server side, create your own naming scheme, and some mechanism to associate what 
the client specifies as a name, with the name you are creating on the server.
(Of course then, you may also need to provide a special servlet to allow people to browse 
files, and another one to allow them to delete files).
- set some limit to the size of files that anyone can upload.  Otherwise it will not take 
long before someone paralyses your server (maliciously or not).
- filter the /type/ of file that clients can upload. Be restrictive : forbid everything 
/except/ the types you allow, and not the opposite.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by Léa Massiot <lm...@orange.fr>.

Hello André,

Thank you for your answer.

awarnier wrote:
> 
> You can define "uf" wherever you want, as long as Tomcat (and the
> applications 
> which run under it, like your JSPs) has write access to it.
> 

Actually, I already noticed and tried that and my first question is closely
linked to my second question about "href"s... (Questions 1) and 2) aren't
really two separate questions.)

Thank you for your two interesting suggestions:
- creating some kind of "downloader" servlet,
- WebDAV which I know nothing about.

This is not an academic project.
I just made a schematic picture of the situation.

Thanks!
--
Léa
-- 
View this message in context: http://old.nabble.com/WebApps-sharing-uploaded-files-tp32570911p32573942.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: WebApps sharing uploaded files

Posted by André Warnier <aw...@ice-sa.com>.

Léa Massiot wrote:
> Hello,
> 
> Thank you for reading my post.
> 
> o I have two WebApps "w1" and "w2" (under the Tomcat "webapps" directory).
> o Both "w1" and "w2" contain (at least) a JSP which allows to upload files
> to the server.
> o Presently, the uploaded files are stored:
> - in the "w1\uf1\" directory for "w1",
> - in the "w2\uf2\" directory for "w2".
> (So: each WebApp has its own directory for uploaded files storage).
> => I need the two Webapps to store their uploaded files in the same
> directory, say "uf".
> 
> Let's say that: 
> - we have created "uf" somewhere (where?),

You can define "uf" wherever you want, as long as Tomcat (and the applications which run 
under it, like your JSPs) has write access to it.

> - "uf" contains a successfully uploaded file "f.txt",
> - I have a JSP "foo_1.jsp" in "w1" and a JSP "foo_2.jsp" in "w2".
> 
> I'd like:
> - to put an anchor in "foo_1.jsp" which links to "f.txt".
> ----------------------------------------------------------------------
> < a href="?_1/f.txt">Link 1</ a>
> ----------------------------------------------------------------------
> - to put an anchor in "foo_2.jsp" which links to "f.txt".
> ----------------------------------------------------------------------
> < a href="?_2/f.txt">Link 2</ a>
> ----------------------------------------------------------------------
> (I want the files to open properly when the each link is clicked).

Then you should probably create another JSP/servlet, whose role is to download the 
requested file to the browser, and which is called with the file name as an query 
parameter.  It can then read the file wherever "uf" is, and return it to the browser.

Now unless this is a purely academic project to learn about webservers and/or Tomcat, the 
whole thing sounds a bit over-simple, and does not take into account a lot of dangerous 
aspects of this kind of application.

And if it is not purely an academic project, I would recommend having a look at the WebDAV 
application, which may be what you are looking for.

I wish I could give you a pointer to some documentation about that application, but I 
can't seem to be able to locate it on the Tomcat website.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org