Re: [Resin-interest] upload limit
Thanks for your answer, I have read the doc too quicly and now I
understand the per request statement. I did this:
public void service(HttpServletRequest req, HttpServletResponse res)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This works all right.
Now the administrator status is given to as session at the time where
the administrator log-in. After that I keep in the session the fact that
this user is the administrator. (this is to protect administrative tasks
from being used by someone that knows the URL request and not the password).
So actually my code is this :
public void service(HttpServletRequest req, HttpServletResponse res)
{
if (req.getSession().getAttribute(adl_stored_msmg)!=null)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This one does not work. I beleive that if I call getSession() this
breaks the flow and the uploaded file is already processed. So how do
you suggest to handle the administrator status (I do not use HTTP AUTH
because the administrator backoffice is in flex) ?
Thanks.
Aaron Freeman wrote:
No it should be per request. So somewhere at the beginning of the servlet
that handles the fileupload you would do:
if ( administrator ) {
setAttribute(caucho.multipart.form.upload-max, new Long (30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1) );
}
Obviously you have to replace administrator in the if with the logic
that tells you whether the person is an administrator or not. For example
if you are using HTTP AUTH then you would do something like:
if( req.isUserInRole('administrator') ) {
setAttribute(caucho.multipart.form.upload-max, new Long (30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1) );
}
Aaron
-Original Message-
From: resin-interest-boun...@caucho.com [mailto:resin-interest-
boun...@caucho.com] On Behalf Of Riccardo Cohen
Sent: Tuesday, February 10, 2009 11:23 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] upload limit
I answer to these uploads with a servlet in java.
The setting you suggest will apply for all sessions
Am I right ?
But I want to limit differently if it is the public or if it is the
administrator of the application.
Aaron Freeman wrote:
Hi
For one of my project I have to set multipart-form enable='true'
upload-max='300M'/
I guess this is a security problem, and I would rather let it to
100K
except for the application administrator session where I would set
dynamically to 300M.
Riccardo are you using a JSP to process the file? If so, according
to this:
https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form
you can set a request attribute at run time,
caucho.multipart.form.upload-max to override the maximum file size.
Aaron
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
--
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
--
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] upload limit
Honestly I avoid using sessions like the plague, so I may not be the best
person to answer your question. However, I don't think calling getSession
should cause your file upload to break at all. What happens if the
getSession() returns null though? Maybe you want getSession(true)?
What error are you getting?
-Original Message-
From: resin-interest-boun...@caucho.com [mailto:resin-interest-
boun...@caucho.com] On Behalf Of Riccardo Cohen
Sent: Wednesday, February 11, 2009 4:17 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] upload limit
Thanks for your answer, I have read the doc too quicly and now I
understand the per request statement. I did this:
public void service(HttpServletRequest req, HttpServletResponse res)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This works all right.
Now the administrator status is given to as session at the time where
the administrator log-in. After that I keep in the session the fact
that
this user is the administrator. (this is to protect administrative
tasks
from being used by someone that knows the URL request and not the
password).
So actually my code is this :
public void service(HttpServletRequest req, HttpServletResponse res)
{
if (req.getSession().getAttribute(adl_stored_msmg)!=null)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This one does not work. I beleive that if I call getSession() this
breaks the flow and the uploaded file is already processed. So how do
you suggest to handle the administrator status (I do not use HTTP
AUTH
because the administrator backoffice is in flex) ?
Thanks.
Aaron Freeman wrote:
No it should be per request. So somewhere at the beginning of the
servlet
that handles the fileupload you would do:
if ( administrator ) {
setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1)
);
}
Obviously you have to replace administrator in the if with the
logic
that tells you whether the person is an administrator or not. For
example
if you are using HTTP AUTH then you would do something like:
if( req.isUserInRole('administrator') ) {
setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1)
);
}
Aaron
-Original Message-
From: resin-interest-boun...@caucho.com [mailto:resin-interest-
boun...@caucho.com] On Behalf Of Riccardo Cohen
Sent: Tuesday, February 10, 2009 11:23 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] upload limit
I answer to these uploads with a servlet in java.
The setting you suggest will apply for all sessions
Am I right ?
But I want to limit differently if it is the public or if it is the
administrator of the application.
Aaron Freeman wrote:
Hi
For one of my project I have to set multipart-form enable='true'
upload-max='300M'/
I guess this is a security problem, and I would rather let it to
100K
except for the application administrator session where I would set
dynamically to 300M.
Riccardo are you using a JSP to process the file? If so, according
to this:
https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form
you can set a request attribute at run time,
caucho.multipart.form.upload-max to override the maximum file size.
Aaron
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
--
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
--
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] upload limit
I don't know exactly why because there is no exception on the server
side, but when I call getSession() before req.setAttribute() the upload
limit is not changed and I have an IO error on the flash side (error
2038 from hessian) if the file is too big. If I set the attribute before
getSession(), the big file is uploaded correctly.
If I call getSession(true) I understand from the doc that it is the same
as getSession(), it will create the session if the request have no session.
By the way, what do you mean by avoid using sessions like the plague ?
Is it so bad coding using them ? I understand that it uses memory and
has to be minimized, but if there is only some boolean or some little
strings I thought it was acceptable. How can I keep session information
like current language, current basket, manager status etc. ? Adding them
in the request (like with cookies) does not seem very secure. I'd be
interested in your expert opinion :)
Thanks
Aaron Freeman wrote:
Honestly I avoid using sessions like the plague, so I may not be the best
person to answer your question. However, I don't think calling getSession
should cause your file upload to break at all. What happens if the
getSession() returns null though? Maybe you want getSession(true)?
What error are you getting?
-Original Message-
From: resin-interest-boun...@caucho.com [mailto:resin-interest-
boun...@caucho.com] On Behalf Of Riccardo Cohen
Sent: Wednesday, February 11, 2009 4:17 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] upload limit
Thanks for your answer, I have read the doc too quicly and now I
understand the per request statement. I did this:
public void service(HttpServletRequest req, HttpServletResponse res)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This works all right.
Now the administrator status is given to as session at the time where
the administrator log-in. After that I keep in the session the fact
that
this user is the administrator. (this is to protect administrative
tasks
from being used by someone that knows the URL request and not the
password).
So actually my code is this :
public void service(HttpServletRequest req, HttpServletResponse res)
{
if (req.getSession().getAttribute(adl_stored_msmg)!=null)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This one does not work. I beleive that if I call getSession() this
breaks the flow and the uploaded file is already processed. So how do
you suggest to handle the administrator status (I do not use HTTP
AUTH
because the administrator backoffice is in flex) ?
Thanks.
Aaron Freeman wrote:
No it should be per request. So somewhere at the beginning of the
servlet
that handles the fileupload you would do:
if ( administrator ) {
setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1)
);
}
Obviously you have to replace administrator in the if with the
logic
that tells you whether the person is an administrator or not. For
example
if you are using HTTP AUTH then you would do something like:
if( req.isUserInRole('administrator') ) {
setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1)
);
}
Aaron
-Original Message-
From: resin-interest-boun...@caucho.com [mailto:resin-interest-
boun...@caucho.com] On Behalf Of Riccardo Cohen
Sent: Tuesday, February 10, 2009 11:23 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] upload limit
I answer to these uploads with a servlet in java.
The setting you suggest will apply for all sessions
Am I right ?
But I want to limit differently if it is the public or if it is the
administrator of the application.
Aaron Freeman wrote:
Hi
For one of my project I have to set multipart-form enable='true'
upload-max='300M'/
I guess this is a security problem, and I would rather let it to
100K
except for the application administrator session where I would set
dynamically to 300M.
Riccardo are you using a JSP to process the file? If so, according
to this:
https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form
you can set a request attribute at run time,
caucho.multipart.form.upload-max to override the maximum file size.
Aaron
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
--
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] upload limit
Hi For one of my project I have to set multipart-form enable='true' upload-max='300M'/ I guess this is a security problem, and I would rather let it to 100K except for the application administrator session where I would set dynamically to 300M. Riccardo are you using a JSP to process the file? If so, according to this: https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form you can set a request attribute at run time, caucho.multipart.form.upload-max to override the maximum file size. Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] upload limit
I answer to these uploads with a servlet in java. The setting you suggest will apply for all sessions Am I right ? But I want to limit differently if it is the public or if it is the administrator of the application. Aaron Freeman wrote: Hi For one of my project I have to set multipart-form enable='true' upload-max='300M'/ I guess this is a security problem, and I would rather let it to 100K except for the application administrator session where I would set dynamically to 300M. Riccardo are you using a JSP to process the file? If so, according to this: https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form you can set a request attribute at run time, caucho.multipart.form.upload-max to override the maximum file size. Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest -- Riccardo Cohen Architecte du Logiciel http://www.architectedulogiciel.fr +33 (0)6.09.83.64.49 ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] upload limit
No it should be per request. So somewhere at the beginning of the servlet
that handles the fileupload you would do:
if ( administrator ) {
setAttribute(caucho.multipart.form.upload-max, new Long (30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1) );
}
Obviously you have to replace administrator in the if with the logic
that tells you whether the person is an administrator or not. For example
if you are using HTTP AUTH then you would do something like:
if( req.isUserInRole('administrator') ) {
setAttribute(caucho.multipart.form.upload-max, new Long (30) );
} else {
setAttribute(caucho.multipart.form.upload-max, new Long (1) );
}
Aaron
-Original Message-
From: resin-interest-boun...@caucho.com [mailto:resin-interest-
boun...@caucho.com] On Behalf Of Riccardo Cohen
Sent: Tuesday, February 10, 2009 11:23 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] upload limit
I answer to these uploads with a servlet in java.
The setting you suggest will apply for all sessions
Am I right ?
But I want to limit differently if it is the public or if it is the
administrator of the application.
Aaron Freeman wrote:
Hi
For one of my project I have to set multipart-form enable='true'
upload-max='300M'/
I guess this is a security problem, and I would rather let it to
100K
except for the application administrator session where I would set
dynamically to 300M.
Riccardo are you using a JSP to process the file? If so, according
to this:
https://www.gopay.com.cn/resin-doc/config/webapp.xtp#multipart-form
you can set a request attribute at run time,
caucho.multipart.form.upload-max to override the maximum file size.
Aaron
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
--
Riccardo Cohen
Architecte du Logiciel
http://www.architectedulogiciel.fr
+33 (0)6.09.83.64.49
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
