Assume that I have a directory for uploaded public files like images in /var/my-project/upload/public.
I want to download files in public directory with its name. For example if there is a file named product-image.png in public directory with uri /var/my-project/upload/public/product-image.png, access to this file with this url: http://mysite/public/product-image.png.
I know how to use a controller for this purpose, but I want to know is there a way to directly access these files without using a controller method?
The only acceptable way of doing it is with a ReSTful api. There are other methods such as ftp, but When you use ftp, Files can be added by anyone who knows how. With a ReST controller, you define what can be added beforehand. In fact, with a controller you define just about everything regarding that endpoint.
So the short answer is (especially if you are using Spring boot) use an API, lest you not regret it later.
When I was in College, our website had a built in "back door" to a certain endpoint via ftp. Some kids in one of my classes found out about that back door and let themselves inside. Needless to say' they didnt bother wiping their shoes on the mat on their way in.
The moral: Never assume that your resources aren't worth messing with. All you need to do is make it unsecure, and people will eventually mess with it.
Related
I am storing a file on the public directory. If my file is a 100 character random string, could someone potentially find this file? Is there any way to protect the public directory for Laravel?
Do not attempt to do this. Security by obscurity is not a valid approach.
A few flaws to this approach:
If I knew the file existed, but not its name: I could try every combination to find it.
The web server may have an unknown flaw that allows directories to be listed?
If HTTPS is not utilized, anyone monitoring requests could see the file.
The best way would be to create a view that serves the file, stored outside the public directory(/storage), and secure the view with a single use token or login.
I have an Angular webapp that uses a Spring Boot REST service as its backing web service.
I am adding a "Profiles" feature for users, and as part of this I want to stand up an endpoint that allows users to upload profile images for themselves and immediately upload those files to S3 (where I will host all the images from).
Looking at several Spring Boot/file upload tutorials :
http://www.mkyong.com/spring-boot/spring-boot-file-upload-example/
I update avatar image and display it but the avatar does not change in Spring Boot , why?
Many others
It seems that the standard way of handling such file upload is exposing a controller endpoint that accepts MultipartFiles like so:
#RestController
#RequestMapping("/v1/profiles")
public class ProfileController {
#PostMapping("/photo")
public ResponseEntity uploadProfilePhoto(#RequestParam("mpf") MultipartFile mpf)
// ...
}
Looking at all this code, I can't tell if the MultipartFile instance is in-memory or if Spring sets its location somewhere (perhaps under /tmp?) on the disk.
Looking at the AWS S3 Java SDK tutorial, it seems the standard way to upload a disk-based File is like so:
File file = new File(uploadFileName);
s3client.putObject(new PutObjectRequest(bucketName, keyName, file));
So it looks like I must have a File on disk in order to upload to S3.
I'm wondering if there is a way to keep everything in memory, or whether this is a bad idea and I should stick to disks/File instances!
Is there a way to keep the entire profile image (MultipartFile) in-mempory inside the controller method?
Is there a way to feed (maybe via serialization?!) a MultipartFile instance to S3's PutObjectRequest?
Or is this all a terrible idea (if so, why?!)?
Is there a way to keep the entire profile image (MultipartFile) in-mempory inside the controller method?
No, there is NO way to keep an image File in-memory because File object in java represents a path in file system.
Is there a way to feed (maybe via serialization?!) a MultipartFile instance to S3's PutObjectRequest?
No, from S3's API documentation, there is no way for S3 to deserialize to the image file for you after/during the upload.
Or is this all a terrible idea (if so, why?!)?
It depends on your specific case but it is generally not preferred.
If - there are not many users uploading images at the same time, your memory is probably enough to handle.
Else - You can easily get out-of-memory problems.
If you insist on doing so, S3 API can upload an InputStream (If I remember correctly). You can convert your Multipart File to an InputStream.
This SO thread talks about uploading to S3 with InputStream
You can also take a look at File.createTempFile() to create a temp file.
I have been looking at the same thing. Basically you want a user to be able to be able to upload a photo album and have those photos served from S3 and probably have them secured so only that user can upload/delete/etc.
I believe the simpler answer is in spring boot to get a Pre-signed URL from S3. https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObjectJavaSDK.html
which basically gives you a token defining the bucket, and object key ("/bobs_profile/smiling_bob.jpg") and a time limit for that image to be uploaded.
Give that to your angular app (or ionic app) to upload the image to that location.
That should do it. but someone let me know if I'm wrong.
The only issue that I see is if bob wants to upload "bobs_nude_photo.jpg" and only wants spring security logged in people to be able to see it... well I'm sure there is an S3 solution for that??
The Google Drive API v2 to v3 migration guide says:
The exportLinks field has been removed from files. To export Google Documents, use the files.export method instead.
I don't want to export (download) the file right away. "files.export" will actually download the file. I want a link to download the file, later. This was possible in v2 by means of the exportLinks.
How can I in v3 accomplish the same? If it is not possible, why was this useful feature removed?
Besides, (similar problem to above) downloadUrl was also removed, and the suggested alternative ("files.get with ?alt=media") downloads the file instead of providing a download link. This means there is no way in v3 to get a public short lived URL for a file?
EDIT:
there is no way in v3 to get a public short lived URL for a file?
For regular files, apparently yes.
This seems to work fine (a public short lived link to the file with its right name and contents):
https://www.googleapis.com/drive/v3/files/ID?alt=media&access_token=TOKEN
For google apps files, no (not even private, as v2 exportLinks used to be).
https://www.googleapis.com/drive/v3/files/ID/exportmimeType=TYPEv&access_token=TOKEN
Similar to regular files, this URL is a short lived link to the file contents, but lacking of its right name.
BTW, I see the API is not behaving consistently: /drive/v3/files/FILEID delivers the right file name, but /drive/v3/files/FILEID/export does not.
I think the API itself should be setting the right Content-Disposition, as it is apparently doing when issuing a /drive/v3/files/FILEID call.
This file naming problem invalidates the workaround to the lack of ExportLinks in v3.
The v2 ExportLinks allowed me to link a file (which is not the same as getting its content right away). Anyone logged in and with the proper permissions was able to access it, and the link didn't needed any access_token, and it wasn't short lived. It was good and useful.
Building a link with a raw API call like /drive/v3/files/FILEID/export (with mandatory access_token) would be an close enough workaround (it is temporary and public, not the same as it was, anyway). However, the naming problem invalidates it.
In v2, regular files have a WebContentLink and google apps files have exportLinks. In v3 exportLinks are gone, and I don't see any suitable alternative to them.
Once you query for your file by id you can use the function getWebContentLink() to get the download link of the file (eg. $file->getWebContentLink() ).
I think you're placing too much emphasis on the word "method".
There is still a link to export a file, it's https://www.googleapis.com/drive/v3/files/fileIdxxxxx/export&mimeType=xxxxx/xxxxx. Make sure you URL encode the mime type.
Eg
https://www.googleapis.com/drive/v3/files/1fGBQ81haNU_nEiC5GITZD3bxT0ppL2LHg-C0ubD4Q_s/export?mimeType=text/csv&access_token=ya29.Gmo0BMvO-pVEPKsiD9j4D-NZVGE91MChRvwOcBSg3cTHt5uAClf-jFxcovQScbO2QQhwHS95eSGW1eQQcK5G1UQ6oI4BFEJJkntEBkgriZ14GbHuvpDL7LT2pKA--WiPuNoDDIuZMm5lWtlr
These links form part of the API, so the expectation is that you've written a client that sends authenticated requests, and deals with the response data. This explains why, if you simply paste the link into a browser without an access_token, it will fail. It also explains why the filename is export, ie. it isn't intended that your client would ever use a filename, but rather it should receive the data as a stream. This SO answer discusses the situation in more detail How to set name of file downloaded from browser?
Using the execlent library ImageProcessor is really easy. Thanks James
How do you prevent ImageProcessorModule from intercepting images from certain folder?
Say I have a folder named "DontResizeMe" - how make ImageProcessor ignore this folder?
I think there are a few ways to achieve this, depending on which part you want to avoid.
You could inherit the ImageProcessingModule, and make your own pre-checks to determine if the request should be processed by the base class.
You could use the OnValidatingRequest event, and cancel any requests in the folder you choose.
There is a config setting for InterceptAllRequests that will ignore any request without query string params.
You could make your own "noop" service, and configure that for the prefixes you want. See examples here: https://github.com/JimBobSquarePants/ImageProcessor/blob/2f2044da7bf7f3960928a7ea47f5540975946062/tests/ImageProcessor.TestWebsite/config/imageprocessor/security.config
I have a requirement to send the folder details in the URL for POST method, some thing like this
http:///{directory}/{filename}
I am using Spring API to create the service. Using #PathVariables to two variables in the URI.
Problem : Directory can have "/" slashes in it.
Now how can I create my API, please help me.
POST http://example.com/api/files/path/to/my/file/filename
Stick a controller on /api/files. Scrape the URL starting after /files. Use that to locate the file.
P.S. This has the potential to be a Very Bad Idea. Make sure you secure the controller to only expose those parts of your filesystem you don't mind random internet strangers to be able to operate on.