I am implementing a Grails/Groovy web app, I want to limit the user's file upload size, I don't want someone uploads a 10GB file to my server. What I figured out was that most approaches to calculate the size is done after the file is already uploaded, what If someone puts up 10 profiles and upload 10 files as big as 10GB ? That can exhaust the server and occupy so much space on the server disk. So I'm trying to prevent this.
I figured out that Apache Tomcat allows for the following configuration, In hard-coded or Annotation approach. I'm not sure if the max-file-size is calculated during the upload process or after the file is uploaded to a temp place. The documentation indicates the followings :
The @MultipartConfig annotation supports the following optional
attributes:location: An absolute path to a directory on the file system. The
location attribute does not support a path relative to the application
context. This location is used to store files temporarily while the
parts are processed or when the size of the file exceeds the specified
fileSizeThreshold setting. The default location is "".fileSizeThreshold: The file size in bytes after which the file will be
temporarily stored on disk. The default size is 0 bytes.MaxFileSize: The maximum size allowed for uploaded files, in bytes. If
the size of any uploaded file is greater than this size, the web
container will throw an exception (IllegalStateException). The default
size is unlimited.maxRequestSize: The maximum size allowed for a multipart/form-data
request, in bytes. The web container will throw an exception if the
overall size of all uploaded files exceeds this threshold. The default
size is unlimited.
annotation approach :
@MultipartConfig(location="/tmp", fileSizeThreshold=1024*1024,
maxFileSize=1024*1024*5, maxRequestSize=1024*1024*5*5)
and here is the hard-coded value:
<multipart-config>
<!– 50MB max –>
<max-file-size>52428800</max-file-size>
<max-request-size>52428800</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>
I appreciate it if anyone can clarify if the MaxFileSize is calculated during the upload process.
Best Answer
The MaxFileSize will be calculated after the whole file has been already uploaded. You can upload a file (1GB size) on your web app, then you will notice what really happen. So relying on the Tomcat would make no sense. Doing same work in Servlet is possible, but when your counter reaches the MaxFileSize how you can disconnect the underlying HTTP connection? I think you have no way. The HTTP protocol is unidirectional, so you can't also tell browser to cancel the long post in time. The only thing you can do is when your counter reaches the threshold just ignore the follow-up bytes from input stream to protect disk space till the file transmission complete.