OOP-ResearchMake It Simpler by Object Oriented Programming

Properties for OOP MimeParser: Java API for file upload JSP/Servlet by multipart/form-data

File upload JSP/Servlet by multipart/form-data. How to limit the size and mime-type (Content-Type) of the uploaded file. JSP/Servlet can check if the binary contents match with JPEG, PNG, GIF or PDF.
To protect the file upload JSP/Servlet from the bad users, you need to limit the size and mime-type (Content-Type) of the uploaded file. You can also limit the width/height of the image file (JPEG, GIF or PNG). This feature will be useful if you are going to build the online photo album.
In addition, it is desirable for your JSP/Servlet to inspect the binary contents of the uploaded file. If the binary contents do not match with the expected pattern for the mime-type, your JSP/Servlet should refuse the file upload request. By the help of OOP MimeParser, a few lines of codes are enough for all these tasks.
In the property file, you can specify the maximum file size, the maximum width/height of the image file, the list of the acceptable mime-types (Content-Types), and how to check the binary contents. This page describes about these properties for OOP MimeParser.

Related Pages:


Property files

When you extract the distribution of this Java API, you will find:

  • MimeParser.properties
  • AcceptMime.properties
  • BinaryCheckerDic.properties
  • ImageSizeChecker.properties
under conf sub-directory. Please edit them and specify the values suitable for your environment. And place them under (docBase)/WEB-INF/classes for your web application context.

MimeParser.properties

The properties written in MimeParser.properties are:

max_request The maximum Content-Length (in bytes) of the HTTP request. Before processing the HTTP request, all the parseXX( ) methods check the Content-Length of each HTTP request and compare it with this property. If the Content-Length of the HTTP request is larger than this property, these methods will throw TooLargeBodyException soon, without reading any bytes of the request body. This feature is very important to protect your JSP/Servlet against some kinds of denial-of-service attacks.
The Content-Length consists of:
  • The size of the uploaded file
  • The size of the submitted text
  • The size of the boundary text, which is generated by the web browser
So, the maximum size of the Content-Length must be larger than the maximum size of the uploaded file. For example, if you'd like to set the maximum file size to 100 KB, the maximum Content-Length should be set to 150 KB or 200 KB. If the CGI FORM has many text input fields, it should be 200 KB larger (or more) than the maximum file size.
This property must be specified in bytes. For example, if you'd like to set the maximum Content-Length to 100 KB, this property will be 102400.
max_file The default maximum size (in bytes) of the file to be uploaded. If this value is set to 0 (zero), the size of the uploaded file will not be checked.
When you call any of:
  • parseAndSave(HttpServletRequest req, String ch)
  • parseAndSave(HttpServletRequest req, String ch, String dir)
  • parseAndSave(HttpServletRequest req, String ch, Set mime)
  • parseAndSave(HttpServletRequest req, String ch, String dir, Set mime)
  • parseOnly(HttpServletRequest req)
  • parseOnly(HttpServletRequest req, String ch)
  • parseOnly(HttpServletRequest req, Set mime)
  • parseOnly(HttpServletRequest req, String ch, Set mime)
this default maximum size is used to restrict the file size.

But, the default maximum file size can be overridden by max parameter of:
  • parseAndSave(HttpServletRequest req, String dir, int max)
  • parseAndSave(HttpServletRequest req, String dir, int max, Set mime)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max, Set mime)
  • parseOnly(HttpServletRequest req, int max)
  • parseOnly(HttpServletRequest req, int max, Set mime)
  • parseOnly(HttpServletRequest req, String ch, int max)
  • parseOnly(HttpServletRequest req, String ch, int max, Set mime)
By these methods, you can set the different upper limits for each requests.

You need to protect your JSP/Servlet against some kinds of denial-of-service attacks, because someone in the world may try to upload the file of 1 GB repeatedly. For this case, MimeParser checks the Content-Length of each HTTP request, before reading any bytes of the HTTP request body. By max_request property (see above), you can specify the maximum Content-Length. If the Content-Length of the HTTP request is larger than max_request property, MimeParser will throw TooLargeBodyException soon. Only if the Content-Length of the HTTP request is smaller than max_request property, MimeParser will check the size of the uploaded file.

This property must be specified in bytes. For example, if you'd like to set the maximum file size to 100 KB, this property will be 102400.
file_root The root directory under which the uploaded file will be saved. In case of UNIX, the value of this property will look like:
  • file_root=/export/home/foo/mime
As for Windows OS, if you'd like to save the uploaded files into:
  • C:\mywebapps\mime\upfiles
this property will be something like:
  • file_root=C:\\mywebapps\\mime\\upfiles
In case of Windows OS, all the \ (back-slash) must be escaped by the preceding \ (back-slash).

The sub-directory can be specified by the third parameter of:
  • parseAndSave(HttpServletRequest req, String ch, String dir)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max)
  • parseAndSave(HttpServletRequest req, String ch, String dir, Set mime)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max, Set mime)
or the second parameter of
  • parseAndSave(HttpServletRequest req, String dir)
  • parseAndSave(HttpServletRequest req, String dir, int max)
  • parseAndSave(HttpServletRequest req, String dir, Set mime)
  • parseAndSave(HttpServletRequest req, String dir, int max, Set mime)
So, you can specify the different directory per request.
If you use any of parseOnly(...) methods, the value of this property does not take effect at all, because these 8 methods do not save the uploaded files by themselves. Instead, you can get the binary contents of the uploaded file and save them anywhere you like, i.e. you have the full control over where to save the uploaded files.
checkBinary As for the specific mime-types, MimeParser can check if the binary contents of the uploaded file match with the expected pattern or not. To enable this feature, please set this property to true. You also need to edit:
  • BinaryCheckerDic.properties
which lists the mapping between the mime-type and BinaryChecker implementation. As for this property file, please read the subsequent section.
max_width/max_height The maximum width/height (in pixels) of the image file (JPEG, PNG or GIF) to be uploaded. To check the width/height of the image files, you also need to copy:
  • ImageSizeChecker.properties
into:
  • WEB-INF/classes
With this property file is installed, the following methods will check the width/height of the image file to be uploaded and will throw LargeImageException if its width/height exceeds the specified maximum width/height:
  • parseAndSave(HttpServletRequest req, String ch, Set mime)
  • parseAndSave(HttpServletRequest req, String ch, String dir, Set mime)
  • parseAndSave(HttpServletRequest req, String dir, int max, Set mime)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max, Set mime)
  • parseOnly(HttpServletRequest req, Set mime)
  • parseOnly(HttpServletRequest req, String ch, Set mime)
  • parseOnly(HttpServletRequest req, int max, Set mime)
  • parseOnly(HttpServletRequest req, String ch, int max, Set mime)
To enable this feature, your JSP/Servlet container (such as Apache Tomcat, Jetty or WebLogic) must be run on JDK 1.4 or later.
charset The default charset for decoding the text parameters. The text parameter includes:
  • INPUT with the type of TEXT
  • INPUT with the type of HIDDEN
  • INPUT with the type of PASSWORD
  • INPUT with the type of CHECKBOX
  • INPUT with the type of RADIO
  • INPUT with the type of SUBMIT
  • SELECT
  • TEXTAREA
This value can be overridden by the second parameter of:
  • parseAndSave(HttpServletRequest req, String ch, String dir)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max)
  • parseAndSave(HttpServletRequest req, String ch, String dir, Set mime)
  • parseAndSave(HttpServletRequest req, String ch, String dir, int max, Set mime)
  • parseOnly(HttpServletRequest req, String ch)
  • parseOnly(HttpServletRequest req, String ch, int max)
  • parseOnly(HttpServletRequest req, String ch, Set mime)
  • parseOnly(HttpServletRequest req, String ch, int max, Set mime)
In case that TEXT INPUT, SELECTION or HIDDEN INPUT whose name is charset is found in the request, its value will be used regardless of above. For example, the FORM below includes the HIDDEN INPUT whose name is charset. On the destination JSP, MimeParser picks up the value of this HIDDEN INPUT and decodes the rest of the text parameters by Shift_JIS.
Form with charset
user Your serial ID, which is shown at the time of download. Required only in case you use the trial version.


Please place this property file under:
  • (docBase)/WEB-INF/classes

AcceptMime.properties

Each time when you call:

  • AcceptMime.getAcceptMime( )
the contents of AcceptMime.properties is loaded. The keys in this property file is the mime-types (Content-Type), and their corresponding values are yes or no. And the above method returns the Set object, which includes the mime-types whose values are yes.
You can pass this Set object to some methods of MimeParser. Then, only the files of the specific mime-types can be uploaded. In case of the invalid mime-types, MimeParser will throw InvalidContentTypeException.

For example, your JSP/Servlet may want to accept JEPG, PNG and GIF files only. In this case, your AcceptMime.properties should have the lines like:
  • image/jpeg=yes
  • image/pjpeg=yes
  • image/png=yes
  • image/gif=yes
  • image/bmp=no
  • application/pdf=no
  • application/postscript=no
When your JSP/Servlet calls:
  • AcceptMime.getAcceptMime( )
the returned Set object includes
  • image/jpeg
  • image/pjpeg
  • image/png
  • image/gif
Then, your JSP/Servlet can pass this Set object to some methods of MimeParser.
The source code of your JSP/Servlet will look like this:


  Set accept_mime=AcceptMime.getAcceptMime();

  // The uploaded file will be saved under the "foo"
  // sub-directory...
  String user="foo";

  // The maximum file size is set to
  // 30*1024 bytes (30 KB), which can
  // override the "max_file" property.
  mime.parseAndSave(request,user,30*1024,accept_mime);


Your JSP/Servlet will accept JPEG, PNG or GIF files, but will refuse other types of files.
Note for JPEG:
Some web browser distinguishes the difference between image/jpeg and image/pjpeg, and sends the strict Content-Type header. To prepare for this kind of web browser, please also add image/pjpeg to this list.


Please place this property file under:
  • (docBase)/WEB-INF/classes

BinaryCheckerDic.properties

The strategy in the previous section fully depends on the mime-type (Content-Type) resolved by the web browser. It works like this:

  • Your JSP/Servlet shows the CGI FORM with multipart/form-data, by which the user can upload the file.
  • The web browser encodes the binary contents of the selected file and sends them to your JSP/Servlet, along with its file name.
  • MimeParser (which works within your JSP/Servlet) resolves the mime-type from the file name. This mime-type is compared to the mime-type listed in AcceptMime.properties and MimeParser decides if the uploaded file is acceptable or not.
It will be the rare case, but the user may try to upload the file with the invalid extension. For example, the user may try to upload the text file, whose file name is:
  • myphoto.jpg
In this case, MimeParser will resolve its mime-type as image/jpeg, and accept the uploaded file. But, this is not what you want.

To prepare for this situation, MimeParser can check if the binary contents of the uploaded file match with the expected pattern for the specific mime-type (Content-Type). After the mime-type (which is sent from the web browser) is found in AcceptMime.properties, MimeParser will inspect the binary contents of the uploaded file. If the binary contents do not match with the expected pattern for the mime-type, MimeParser will throw CorruptedBinaryContentsException.

To check the binary contents for the specific mime-type, this Java API defines the very simple interface. It is:
  • com.oopreserch.util.BinaryChecker
and has only one method.
There are so many mime-types in the world, and it is impossible to implement this interface for all the available mime-types. Rather, the implementations for only the typical mime-types are included in this Java API. They are:

CheckBmpLight This implementation checks only the first few bytes. Even if the first few bytes match the patterns for the BMP, there may be a case that the rest of the contents are invalid.
CheckGifLight This implementation checks only the first few bytes. Even if the first few bytes match the patterns for the GIF, there may be a case that the rest of the contents are invalid.
CheckGifStrict This class depends on Java ImageIO package, which is a part of JDK 1.4. Only if you use JDK 1.4 or later, you can use this class.
CheckJpegLight This implementation checks only the first few bytes. Even if the first few bytes match the patterns for the JPEG, there may be a case that the rest of the contents are invalid.
CheckJpegStrict This class depends on Java ImageIO package, which is a part of JDK 1.4. Only if you use JDK 1.4 or later, you can use this class.
CheckPngLight This implementation checks only the first few bytes. Even if the first few bytes match the patterns for the PNG, there may be a case that the rest of the contents are invalid.
CheckPngStrict This class depends on Java ImageIO package, which is a part of JDK 1.4. Only if you use JDK 1.4 or later, you can use this class.
CheckPdfLight This implementation checks only the first few bytes. Even if the first few bytes match the patterns for the PDF, there may be a case that the rest of the contents are invalid.
CheckPdfStrict This class depends on iText Java library. It is the FREE Java library for PDF. To use this class, please download it from: and place it under WEB-INF/lib directory.
CheckPsLight This implementation checks only the first few bytes. Even if the first few bytes match the patterns for the PostScript, there may be a case that the rest of the contents are invalid.

Note that all these implementations are packaged under:
  • com.oopreserch.util
To use these implementations, please edit BinaryCheckerDic.properties and list their fully qualified class names in it. It looks like this:


image/bmp=com.oopreserch.util.CheckBmpLight

image/gif=com.oopreserch.util.CheckGifLight
#image/gif=com.oopreserch.util.CheckGifStrict

image/jpeg=com.oopreserch.util.CheckJpegLight
image/pjpeg=com.oopreserch.util.CheckJpegLight

#image/jpeg=com.oopreserch.util.CheckJpegStrict
#image/pjpeg=com.oopreserch.util.CheckJpegStrict

image/png=com.oopreserch.util.CheckPngLight
#image/png=com.oopreserch.util.CheckPngStrict

application/pdf=com.oopreserch.util.CheckPdfLight
#application/pdf=com.oopreserch.util.CheckPdfStrict

application/postscript=com.oopreserch.util.CheckPsLight


Please place this property file under:
  • (docBase)/WEB-INF/classes

If the default implementations are not enough for you, you can implement your own ones and list their fully qualified class names to this property file. For details about:
  • com.oopreserch.util.BinaryChecker
interface, please read the API documentation (Java Doc) of this Java API.

Caution!
All the APIs for Servlet/JSP introduced by this web site are now included in Bento framework:
  • Simpler than JSTL or Apache Struts
  • MVC framework by HTML
  • Input validation from CGI FORM
  • Easy user authentication
  • Easy localization (L10n)
To download the APIs and source code examples, please visit the web site of Bento framework.


JBuilder 2007


General Information

For Java Development

Java and all Java-based trademarks and logos are trademarks or registered of Sun Microsystems, Inc. in the United States and other countries.


ALL CONTENTS COPYRIGHT 1997-2007, OOP-Research Corporation. All rights reserved.