Use JSP to complete a file to customize the upload

JS these days of work mainly around the file (mainly pictures) upload, and can be online and HTML editor integration, easy to operate and the current reference online pictures similar. I have underestimated this matter, but it is also reasonable: one of the previous use of the servlet to complete, which the core Douploadbean is also really can work, and then integrated into the editor in the use of PHP's personal blog to do, I do not see any particularly difficult place. But in fact, after the expansion of the discovery, simple to achieve upload is easy, but to reasonably arrange the upload strategy, you have to be cautious. Because allowing uploads is inherently dangerous, it actually opens a hole; allowing the customer to do the actual operation of the server, upload attack is never a difficult, not a rare thing; you can imagine that this kind of attack will happen once the system is open.

On the other hand, when users are allowed to upload local files, they must consider later management. Because, even in the user's local, the largest hard drive will not be able to tell what is the garbage filled, not to mention now is to allow many people to use the server, if there is no precise strategy, not to spend much time, The client's upload file will explode the system. In the last one weeks, a friend to me for help, said that their database reached 30G, the hard drive ate up, the result of the dead machine, in this, I can only be helpless, because, can be sure that the vast majority of rubbish, but not clear what is rubbish, what is necessary. Because, they lack a strategy. Moreover, even if the user is not malicious, most of the time, in the open load, soon the hard drive will be full, if this is a system disk, usually means a crash, visible, you must use the connection to limit the upload to another dedicated partition to ensure security. Usually iron quota is not useful here, because it needs to combine the Web account with the operating system account, which is both complex and dangerous, even less necessary. At the same time, if the uploaded file does not assign a directory to each user, it should be added with a prefix for each user's name for identification, so that in case of need to clean up and match the file date, it is possible to use the FIND/GREP/RM combination script for backup or cleanup.
There are other factors, resulting in the actual operation of upload files than simple to love a file upload program volume is much larger; this includes the rights control, (considering the upload can be used to attack, this must be careful), file management, and modify attributes, including size, type restrictions, can easily modify the storage mode, etc., In fact, in the case of completion, the upload part only spends five-element programs, and management is no less than 50 lines.
Today no longer have to write their own input stream, even if they have not accumulated, or can be found on the Internet open source code, like Jakarta Commons upload is one. There is no example of this thing, the most of the examples found are run, not blame the programmer itself, but this thing not only have no documents, but also the method and class also changed: the example of the upload is actually diskupload, and the current upload what the difference, I can't find any explanation as to why I can save the amount of memory I have to set. Although you have a preference for your own code, however, since my code cannot handle multiple file uploads, although this is rarely the case, I have been confused as to how to identify more than one upload request, which means that I am still not familiar with RFC1864, since there is more reliable stuff, Do not be too eccentric of their own things, the result of a few years of Douploadbean thoroughly buried.
When choosing whether to use a JSP or servlet to process uploads, it is clear that the servlet is more normative in both, but it is rather inconvenient in terms of permission control because, therefore, the identification variable must be fetched through the request, which also means there is the possibility of a client-forged variable submitting the upload directly, Making sure that proper identification means a lot of code. I finally decided to use my own invention to replace the servlet with JSP tags (see the article "You can use multiple JSP tags to achieve a similar servlet effect"). The results show that this is indeed a good way to have the advantages of jsp/servlet/javabean, especially the modification is very easy, I changed the idea to open the directory with the user name, just changed the label a definition of the property to be completed, this is really the embodiment of ease of use.

The final method of use is simple:

<command:saveupload byform= "false" noredirect= "true" Filename= "theimg" roles= "section" Dir= "${filepath}" max= " 20000000 "/>

In this way, the Saveupload label automatically detects permissions and, by the administrative group defined in the section, allows members to be uploaded, uploaded to the private directory of the user name in the upload directory under the Department, and the file name uses the theimg name for the client to embed in the text being edited.

In this way, uploads are truly a component that can be used freely and conveniently.