I don't know exactly why because there is no exception on the server side, but when I call getSession() before req.setAttribute() the upload limit is not changed and I have an IO error on the flash side (error 2038 from hessian) if the file is too big. If I set the attribute before getSession(), the big file is uploaded correctly.
If I call getSession(true) I understand from the doc that it is the same as getSession(), it will create the session if the request have no session. By the way, what do you mean by "avoid using sessions like the plague" ? Is it so bad coding using them ? I understand that it uses memory and has to be minimized, but if there is only some boolean or some little strings I thought it was acceptable. How can I keep session information like current language, current basket, manager status etc. ? Adding them in the request (like with cookies) does not seem very secure. I'd be interested in your expert opinion :) Thanks Aaron Freeman wrote: > Honestly I avoid using sessions like the plague, so I may not be the best > person to answer your question. However, I don't think calling getSession > should cause your file upload to break at all. What happens if the > getSession() returns null though? Maybe you want getSession(true)? > > What error are you getting? > >> -----Original Message----- >> From: resin-interest-boun...@caucho.com [mailto:resin-interest- >> boun...@caucho.com] On Behalf Of Riccardo Cohen >> Sent: Wednesday, February 11, 2009 4:17 PM >> To: General Discussion for the Resin application server >> Subject: Re: [Resin-interest] upload limit >> >> Thanks for your answer, I have read the doc too quicly and now I >> understand the "per request" statement. I did this: >> >> public void service(HttpServletRequest req, HttpServletResponse res) >> { >> req.setAttribute("caucho.multipart.form.upload-max", new Long >> (300000) ); >> >> This works all right. >> Now the "administrator" status is given to as session at the time where >> the administrator log-in. After that I keep in the session the fact >> that >> this user is the administrator. (this is to protect administrative >> tasks >> from being used by someone that knows the URL request and not the >> password). >> So actually my code is this : >> >> public void service(HttpServletRequest req, HttpServletResponse res) >> { >> if (req.getSession().getAttribute("adl_stored_msmg")!=null) >> { >> req.setAttribute("caucho.multipart.form.upload-max", new Long >> (300000) ); >> >> This one does not work. I beleive that if I call getSession() this >> breaks the flow and the uploaded file is already processed. So how do >> you suggest to handle the "administrator" status (I do not use HTTP >> AUTH >> because the administrator backoffice is in flex) ? >> >> Thanks. >> >> >> Aaron Freeman wrote: >>> No it should be per request. So somewhere at the beginning of the >> servlet >>> that handles the fileupload you would do: >>> >>> if ( administrator ) { >>> setAttribute("caucho.multipart.form.upload-max", new Long >> (300000) ); >>> } else { >>> setAttribute("caucho.multipart.form.upload-max", new Long (10000) >> ); >>> } >>> >>> Obviously you have to replace "administrator" in the "if" with the >> logic >>> that tells you whether the person is an administrator or not. For >> example >>> if you are using HTTP AUTH then you would do something like: >>> >>> if( req.isUserInRole('administrator') ) { >>> setAttribute("caucho.multipart.form.upload-max", new Long >> (300000) ); >>> } else { >>> setAttribute("caucho.multipart.form.upload-max", new Long (10000) >> ); >>> } >>> >>> Aaron >>> >>> >>>> -----Original Message----- >>>> From: resin-interest-boun...@caucho.com [mailto:resin-interest- >>>> boun...@caucho.com] On Behalf Of Riccardo Cohen >>>> Sent: Tuesday, February 10, 2009 11:23 AM >>>> To: General Discussion for the Resin application server >>>> Subject: Re: [Resin-interest] upload limit >>>> >>>> I answer to these uploads with a servlet in java. >>>> The setting you suggest will apply for all sessions >>>> Am I right ? >>>> But I want to limit differently if it is the public or if it is the >>>> administrator of the application. >>>> >>>> Aaron Freeman wrote: >>>>>> Hi >>>>>> For one of my project I have to set <multipart-form enable='true' >>>>>> upload-max='300M'/> >>>>>> >>>>>> I guess this is a security problem, and I would rather let it to >>>> 100K >>>>>> except for the application administrator session where I would set >>>>>> dynamically to 300M. >>>>> Riccardo are you using a JSP to process the file? If so, according >>>> to this: >>>>> https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form >>>>> >>>>> you can set a request attribute at run time, >>>>> caucho.multipart.form.upload-max to override the maximum file size. >>>>> >>>>> Aaron >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> resin-interest mailing list >>>>> resin-interest@caucho.com >>>>> http://maillist.caucho.com/mailman/listinfo/resin-interest >>>>> >>>>> >>>> -- >>>> Riccardo Cohen >>>> Architecte du Logiciel >>>> http://www.architectedulogiciel.fr >>>> +33 (0)6.09.83.64.49 >>>> >>>> >>>> >>>> _______________________________________________ >>>> resin-interest mailing list >>>> resin-interest@caucho.com >>>> http://maillist.caucho.com/mailman/listinfo/resin-interest >>> >>> >>> _______________________________________________ >>> resin-interest mailing list >>> resin-interest@caucho.com >>> http://maillist.caucho.com/mailman/listinfo/resin-interest >>> >>> >> -- >> Riccardo Cohen >> Architecte du Logiciel >> http://www.architectedulogiciel.fr >> +33 (0)6.09.83.64.49 >> >> >> >> _______________________________________________ >> resin-interest mailing list >> resin-interest@caucho.com >> http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > > -- Riccardo Cohen Architecte du Logiciel http://www.architectedulogiciel.fr +33 (0)6.09.83.64.49 _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
