tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Fiol BonnĂ­n <>
Subject Re: File download impact JSP running
Date Mon, 17 Nov 2003 07:33:16 GMT

Sorry about my previous response: I missed the important point.

Here is what the RFC says about "Content-Disposition" (two fragments of
RFC 2616).

Anyway, the important part is that you SHOULD NOT send your file AND a
web page after it.

In your code snippet, you loop over the file, sending it, and then you
"forward" to a JSP file. That is, simply, not possible.

If you want to do the same thing which is implemented in, i.e.
sourceforge (a page appears and a file starts downloading, more or less
at the same time), I suggest you to read the HTML code they have.

Good luck!

Antonio Fiol

15.5 Content-Disposition Issues

   RFC 1806 <> [35], from which the often implemented
   (see section 19.5.1) header in HTTP is derived, has a number of very
   serious security considerations. Content-Disposition is not part of
   the HTTP standard, but since it is widely implemented, we are
   documenting its use and risks for implementors. See RFC 2183 <>
   (which updates RFC 1806 <>) for details.

19.5.1 Content-Disposition

   The Content-Disposition response-header field has been proposed as a
   means for the origin server to suggest a default filename if the user
   requests that the content is saved to a file. This usage is derived
   from the definition of Content-Disposition in RFC 1806 <>

        content-disposition = "Content-Disposition" ":"
                              disposition-type *( ";" disposition-parm )
        disposition-type = "attachment" | disp-extension-token
        disposition-parm = filename-parm | disp-extension-parm
        filename-parm = "filename" "=" quoted-string
        disp-extension-token = token
        disp-extension-parm = token "=" ( token | quoted-string )

   An example is

        Content-Disposition: attachment; filename="fname.ext"

   The receiving user agent SHOULD NOT respect any directory path
   information present in the filename-parm parameter, which is the only
   parameter believed to apply to HTTP implementations at this time. The
   filename SHOULD be treated as a terminal component only.

   If this header is used in a response with the application/octet-
   stream content-type, the implied suggestion is that the user agent
   should not display the response, but directly enter a `save response
   as...' dialog.

   See section 15.5 for Content-Disposition security issues.

Cui Xiaojing-a13339 wrote:

>Hello All,
>I use below a set  of commands to download a file, after the file is saved into local
disk, the current JSP page (Jreport_main.jsp) could not work correctly. After the current
page is refreshed, it can work again. Does setting header in response impact the jsp running?
Could please give some advice? Thanks.
>		FileDAO fd=new FileDAO();
>		response.setHeader("Cache-Control", "no-cache");
>		File f=new File("e:/report.xls");
>		response.addHeader("Content-disposition", "attachment; filename=" +f.getName());
>		ServletOutputStream out = response.getOutputStream();
>		FileInputStream in=new FileInputStream(f);
>		int b;
>		while ((!=-1){
>			out.write(b);
>		}
>		in.close();
>		out.close();
>		RequestDispatcher rd = getServletContext().getRequestDispatcher("/Jreport_main.jsp");
>		rd.forward(request, response);	
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message