In my web application I need to upload file to the server. This file is JasperReport template and its extension is .jrxml. So I want to make that server accepts files only with this extension. To upload file I'm using ServletFileUpload. To verify file extension I'm only verifying if fileName contains ".jrxml". But I don't feel that this method is secure enough. Is there any possibility to make upload more safe ?
You can use XML Validator to verify the uploaded file against the Jasper Report XSD. If you wanted to go the additional step you could also compile the uploaded template using the JasperCompile though that might be overkill for your app and a drag on performance.
Related
I have a rather simple question. I have a controller with two endpoints
/newFile
/downloadFile/{fileName}
/newFile endpoint creates a simple .txt file under resources
and my expectation would be to hit /downloadFile/{fileName} and download the newly created resource.
Resource res = new ClassPathResource(fileName);
so as it turned out classpath resource looks under build/resources and the file is not yet there (because I haven't restarted/rebuild the app, once I do it - I can download the file) but the whole idea is to dynamically generate files and access them immediately - is there a quick way to bypass this without having to rebuild?
I too had the same problem when I was working on FACE Recognition API which has the same process of creating a file and and uploading it to analysis.
What java does is It abstracts project to JVM and runs on it, So your newly created file won't be in the JVM, What you need to do is to use a Database or any cloud storage or NFS.
According to my perspective Using Database is the best option. Code Java How to upload files to database with Servlet, JSP and MySQL and Javatpoint store file in Oracle database are some documents you can refer for using a database.
you can refer to this document for implementing your project.
I am trying to dynamically generate the workflow file for Flowable and deploy it on the go.
There are two challenges:
1. Create BAR file to package the XML that is generated
2. Deploying it dynamically.
Has anyone ever tried this? If yes, could you please help or suggest an alternative
Accomplished this finally. The only thing I needed to understand was that BAR file is nothing by a normal ZIP file. It simply needs to be named with a .bar extension.
To deploy it dynamically, we need to utilise the Repository service in the Flowable engine library. Below code snippet allows you to dynamically deploy the workflow. Once deployed, you can freely delete the workflow file as the workflow is recorded in the database.
String barFileName = "path/to/process-one.bar";
ZipInputStream inputStream = new ZipInputStream(new FileInputStream(barFileName));
repositoryService.createDeployment()
.name("process-one.bar")
.addZipInputStream(inputStream)
.deploy();
I have a Play application that creates files in the public folder when a user is in session. These files are like working files.
Now, with multiple users working at the same time, I want to restrict a user to his working files and not someone else's.
How do I achieve this ?
What I thought of :
Have uuid based file name
Store the files in the root of Application and send files to javascript using Java controller
Authenticating before using any file
You can use some authentication framework(like SecureSocial or Silhouette) and then manage files from controller. Once you are in SecuredAction or UserAwareAction you can get user identity and access the right file based on some propery of defined identity
Does anybody have any idea of how this can be accomplished?
I can create wsdlArtifacts, businessServiceArtifacts, webServiceArtifacts, etc, but I can't upload a WSDL file, I would like to have the same behaviour of the Systinet interface, that is, the file is parsed and operations, endpoints, WSDL artifacts are automatically created. I don't want to have to parse the WSDL file to create those.
Thanks!
Disable the parsing policies associated to the WSDL artifact on systinet.
I have an application which is invoked via Java Webstart. Opening it via the Webstart link works without any issue.
I also have an application based on Excel that generates files (via vba) which can then be opened by the program that starts via Webstart.
What I would like to do is have a button that invokes the Webstart application and then opens a newly generated file. The files name (and contents) are time sensitive and so I can't use the same file name over and over.
I've pretty much figured out how to use vba to invoke the application via Webstart but the problem is that for the Webstart app to be able to open a file it needs to be passed in as an argument in the jnlp descriptor
<application-desc main-class="com.foo.WebstartApp">
<argument>-file</argument>
<argument>C:\files\file_20100909_164834.csv</argument>
</application-desc>
How do you go about passing through the filename into the JNLP file when the filename will always be different?
Should I be looking at dynamically generating a new jnlp file each time, or is there a way to parameterize the jnlp file and pass through the filename when invoking the JNLP?
Dynamically generated JNLP files is probably going to open you up to injection attacks, just like dynamic SQL. Further it looks as if you are expecting the user to trust the WebStart application which trusts the JNLP file which is untrustworthy.
Assuming you have one application instance per desktop (SingleInstanceService), information about which files to use, which should not necessarily be trusted, can be passed through an applet using the PersistenceService ("muffins") or, apparently if the browser is IE, through cookies.
I've found a solution that suits my needs. A custom servlet is used to modify parameters in the URL string.
http://forums.sun.com/thread.jspa?threadID=714893