mattias_avelin mattias_avelin - 1 month ago 22
Java Question

Setting file size restrictions when uploading files with Jersey

I'm currently implementing functionality for uploading files using jersey rest. I would like to set a maximum allowed file size which to me seems like a pretty common requirement.

My first approach was to use Jerseys FormDataContentDisposition which should hold all the information I could possibly need about the file. But all information except the file name seems to be missing, including file size.

This is my rest method:

@POST
@Path("uploadFile/")
@Consumes("multipart/form-data")
@Produces("text/html")
public String handleDocumentUpload(
@FormDataParam("file") InputStream uploadedInputStream,
@FormDataParam("file") FormDataContentDisposition fileDetail)
{
if(fileDetail.getSize() > MAX_FILE_SIZE)
{
throw new IllegalArgumentException(
"File is to big! Max size is " + MAX_FILE_SIZE);
}
// ...more file handling logic
}


Which isn't working since the returned size is always "-1"!

I use a extremely simple html form for the file upload:

<html>
<head>
<title>File upload</title>
</head>
<body>
<p>Choose file</p>
<form enctype="multipart/form-data" method="POST" action="uploadFile">
<input type="file" name="file" size="50">
<input type="submit" value="Upload">
</form>
</body>
</html>


So now to my question; how would you enforce a file size restriction using jersey? There must be some simple way without having to resort to reading the whole file into memory (ByteArray) and then get the actuall size, right?

Answer

If the client does not send the file size, fall back to reading the file from stream. Once you hit the size limit, stop reading and refuse the file. You should do this anyway, since you can't trust the client (anyone can create an app that sends http requests to your service and those requests may not have correct data you expect - so have to take that into account).

In addition, it may be possible to add some validation to the web form as well to fail fast, but I am not a JavaScript expert, so not sure if/how that can be done.