Thanks for your answer, I have read the doc too quicly and now I 
understand the "per request" statement. I did this:

   public void service(HttpServletRequest req, HttpServletResponse res)
   {
     req.setAttribute("caucho.multipart.form.upload-max", new Long 
(300000) );

This works all right.
Now the "administrator" status is given to as session at the time where 
the administrator log-in. After that I keep in the session the fact that 
this user is the administrator. (this is to protect administrative tasks 
from being used by someone that knows the URL request and not the password).
So actually my code is this :

   public void service(HttpServletRequest req, HttpServletResponse res)
   {
     if (req.getSession().getAttribute("adl_stored_msmg")!=null)
     {
       req.setAttribute("caucho.multipart.form.upload-max", new Long 
(300000) );

This one does not work. I beleive that if I call getSession() this 
breaks the flow and the uploaded file is already processed. So how do 
you suggest to handle the "administrator" status (I do not use HTTP AUTH 
because the administrator backoffice is in flex) ?

Thanks.


Aaron Freeman wrote:
> No it should be per request.  So somewhere at the beginning of the servlet
> that handles the fileupload you would do:
> 
> if ( administrator ) {
>     setAttribute("caucho.multipart.form.upload-max", new Long (300000) );
> } else {
>     setAttribute("caucho.multipart.form.upload-max", new Long (10000) );
> }
> 
> Obviously you have to replace "administrator" in the "if" with the logic
> that tells you whether the person is an administrator or not.  For example
> if you are using HTTP AUTH then you would do something like:
> 
> if( req.isUserInRole('administrator') ) {
>     setAttribute("caucho.multipart.form.upload-max", new Long (300000) );
> } else {
>     setAttribute("caucho.multipart.form.upload-max", new Long (10000) );
> }
> 
> Aaron
> 
> 
>> -----Original Message-----
>> From: resin-interest-boun...@caucho.com [mailto:resin-interest-
>> boun...@caucho.com] On Behalf Of Riccardo Cohen
>> Sent: Tuesday, February 10, 2009 11:23 AM
>> To: General Discussion for the Resin application server
>> Subject: Re: [Resin-interest] upload limit
>>
>> I answer to these uploads with a servlet in java.
>> The setting you suggest will apply for all sessions
>> Am I right ?
>> But I want to limit differently if it is the public or if it is the
>> administrator of the application.
>>
>> Aaron Freeman wrote:
>>>> Hi
>>>> For one of my project I have to set <multipart-form enable='true'
>>>> upload-max='300M'/>
>>>>
>>>> I guess this is a security problem, and I would rather let it to
>> 100K
>>>> except for the application administrator session where I would set
>>>> dynamically to 300M.
>>>
>>> Riccardo are you using a JSP to process the file?  If so, according
>> to this:
>>>
>>> https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form
>>>
>>> you can set a request attribute at run time,
>>> caucho.multipart.form.upload-max to override the maximum file size.
>>>
>>> Aaron
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> resin-interest mailing list
>>> resin-interest@caucho.com
>>> http://maillist.caucho.com/mailman/listinfo/resin-interest
>>>
>>>
>> --
>> Riccardo Cohen
>> Architecte du Logiciel
>> http://www.architectedulogiciel.fr
>> +33 (0)6.09.83.64.49
>>
>>
>>
>> _______________________________________________
>> resin-interest mailing list
>> resin-interest@caucho.com
>> http://maillist.caucho.com/mailman/listinfo/resin-interest
> 
> 
> 
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
> 
> 

-- 
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49



_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to