Where to save the user files?

I've developed a web application using Tomcat 6.0.32 on the serv开发者_运维知识库er side.

On the client side, users can send a files (max size: 10MB) and my web application should save them locally. These files should not be achieved directly through URL (for example: http://www.mywebapp.com/user/file1.png).

Where I have to save these files? I suppose within /WEB-INF/user_folder/ or there are others locations?

In theory, you could put the files anywhere:

• in $CATALINA_HOME/webapp/WEB-INF/...
• in $CATALINA_HOME/webapp/...
• in $CATALINA_HOME/temp/...
• in a custom subdirectory of $CATALINA_HOME
• somewhere else in the local file system
• on a network share
• in a database
• on stone tablets buried at the bottom of the garden.

In practice, it is up to you to decide which will be easiest to manage. For instance:

• If you put the files in the webapp directory, there is a risk that redeploying the webapp will blow away the files.
• If you put the files outside of the $CATALINA_HOME tree and run your Tomcat with Java security enabled, your webapp may be blocked from reading / writing the files. (And this may actually be a good thing!)
• You need to make sure that request cannot read / write files in unexpected places. For instance, you need to protect against requests that use "../../...." to break out and access files in the host operating system; e.g. "../../../../etc/passwd".
• You need to consider file backup and file space management issues.
• (Stone tablets present some interesting challenges ...)

You can use apache file upload library and apache commons io.For security reasons it is better to save your files somewhere else.For example in a place in your hard drive and store the location on the database.Someone can download your files though your url if you save your files in your web folder. Then you can create a servlet which opens the file and sends it to the client.

Apache commons file upload

saving your uploads under the web information (WEB-INF) directory will definitely hide the files away from the user, however in practice, almost nobody does that. The next time you have a new revision to your WAR, you risk losing all what you have saved in that folder.

The control of URL and context (e.g. mywebapp.com/user/*) should be controlled by you through configuring in web.xml or if you use various MVC frameworks such as Struts, struts.xml.

You might want to think ahead and have these user uploaded files saved under other places in your server, such as /apps/myproject/user-uploads.