Servlet File downloads and considerations

servlet| Download First Note:

In the forum, there have been advanced instructions on how to use HTTP Protocol to implement dynamic file download service in servlet/jsp. This function of the individual in the system development, with a lot of, but also encountered a few problems, want to share these experiences to everyone, hope for everyone can help.

1. MS IE version of the problem

if (Request.getheader ("User-agent"). IndexOf ("MSIE 5.5")!=-1) {

MS IE5.5 has a special deal to make.

Response.setheader ("Content-disposition", "filename=")

+ New String (F_name.getbytes ("Big5"), "iso8859_1"));

}

else {

Non-IE5.5 Header setting method

Response.AddHeader ("Content-disposition", "attachment;filename=")

+ New String (F_name.getbytes ("Big5"), "iso8859_1"));

}

IE 5.5 can not add attachment this keyword, this is a very strange version.

2. Download Chinese file name, such as the syntax of the previous program block, in fact very simple can be done, as long as the file name changed to "Iso8859_1" code can be, I have tested Tomcat, Oracle 9ias, Sun One can normally download Chinese file name, and, this way, The advantage is that no additional package is required.

3. After downloading the files, it is best to add the following two lines of instructions:

Response.setstatus (response. SC_OK);

Response.flushbuffer ();

Without these two lines, it is often possible to see the error message "Connection Rest by Peer" in Error.log, and, more seriously, the servlet/jsp that performs the download will not end, and it will take quite a long time to Timeout, if the download time More than a few, AP Server is miserable, so there is a dynamic download file program, it is best to add these two lines of instructions.

4. Security considerations, sometimes write programs lazy, will use dumpfile.jsp?f_name=attach/a.txt this way to deal with file downloads. If, in the program does not filter out the upload file name parameters, can not be mixed with "..." then, imagine if someone deliberately change the parameters to such? Dumpfile.jsp?f_name=.. /.. /.. /a.txt, hey heh, all files of the entire system have been downloaded.

Above, are the individual has made mistakes, for everyone's reference.

Without these two lines, it is often possible to see the error message "Connection Rest by Peer" in Error.log, and, more seriously, the servlet/jsp that performs the download will not end, and it will take quite a long time to Timeout, if the download time More than a few, AP Server is miserable, so there is a dynamic download file program, it is best to add these two lines of instructions.

5. Security considerations, sometimes write programs lazy, will use dumpfile.jsp?f_name=attach/a.txt this way to deal with file downloads. If, in the program does not filter out the upload file name parameters, can not be mixed with "..." then, imagine if someone deliberately change the parameters to such? Dumpfile.jsp?f_name=.. /.. /.. /a.txt, hey heh, all files of the entire system have been downloaded.

Above, are the individual has made mistakes, for everyone's reference.

URL is: http://www.javaworld.com.tw/jute/post/view?bid=6&id=44580&sty=1&tpg=1&age=-1

Another piece of reference article: http://www.chinaitpower.com/A/2005-04-06/113085.html

Import java.io.*;

Import java.util.*;
Import javax.servlet.*;
Import javax.servlet.http.*;

public class Download extends HttpServlet
{
public void doget (HttpServletRequest request, httpservletresponse response) throws IOException, Servletexception
{
Try
{
There's something else you can do.

Response.setcontenttype ("Application/octet-stream");
Response.setheader ("Content-disposition", "attachment; Filename=\ "The Save file name you want to display in the Save Window \");

Servletoutputstream out = Response.getoutputstream ();
BufferedReader br=new BufferedReader (new FileReader (file name to be downloaded));

String Line=br.readline ();
while (Line!=null)
{
Out.write (Line.getbytes ());
Out.println ();
Line=br.readline ();
}
Out.close ();
Br.close ();
}
catch (Exception e)
{
System.out.println (e);
}
}
public void DoPost (HttpServletRequest request, httpservletresponse response) throws IOException, Servletexception
{
Doget (request, response);
}
}

Note: In Chinese file name solution, change the BIG5 in the first reference to GBK:

New String (Name.getbytes ("GBK"), "Iso8859_1")

The above download code has a problem, can only download character class files, for binary files will be wrong, should use the following code

Bufferedinputstream in = null;
Servletoutputstream out = null;
FileInputStream stream = null;
try {
out = Response.getoutputstream ();
stream = new FileInputStream (file);

int bytesread = 0;
Final int length = 8192;
byte[] buffer = new Byte[length];
while ((bytesread = stream.read (buffer, 0, length))!=-1) {
Write at server side
Out.write (buffer, 0, bytesread);
}
catch (IOException e) {
throw New Bpdbusiexception (
Resourceconst.scorecard_err_downloadattachment_download);
finally {
if (in!= null) {
In.close ();
}
if (out!= null) {
Out.close ();
}
}