0

I am working on a file sharing web application. This application is being developed using jsp and servlet, MySql, Apache tomcat 6.0 webserver and Eclipse Juno IDE. My expert level is beginner to these given technologies.

This application have a file upload utility. Under this utility user enters some basic information regarding file in a HTML form and gives path to file on local machine using browse button. When User clicks on Submit button the data in form is saved in database and the file is gets uploaded on server on a fix common location specified by application. While uploading a file to server this utility will create a directory on given fix common location and upload the file in this created directory.

I have following questions and doubts regarding which I want guidance and solution from experts.

  1. Currently I have my web server and database server on same machine and the file uploaded are also on same web server in the applications directory. I want to put the uploaded files very secure. I want to ask experts whether is this kind of setup is Correct or is there any other secure and perfect setup design for the same situation?

  2. The number of users logged in to application is not decided yet but it may be from few numbers to thousand. There is no restriction on count of Uploading file. So finally the total size of files uploaded by all users in fix common location may be in GB's or in few tb's Currently no issues regarding disk space required but still suggestion and guidance regarding this is always welcome

  3. As the process mentioned above I need to create a directory on given fix common location. Whether the server or other security application on server will going to allow me to create directory on fly that fix common location?

  4. Is it a good practice to put the uploaded files in its own web application folder?

Thank You!

Community
  • 1
  • 1
Param-Ganak
  • 5,787
  • 17
  • 50
  • 62

1 Answers1

1

1) I would recommend to save the uploaded files in your database. In this manner you will have an extra layer (db security) of added security and reliable storage, without the need to sort files in directories.

2) To be able to decide for your disk storage, it is crucial to know in advance proximately the average file size to be uploaded and the number of users to use the application. If you take into consideration my point above and you use a database, there are methods to extend your database size for extra scalability in case you need it.

3) Yes directory creation is allowed as long as you have enough permissions to do so from your OS.

4) NO! Don't do it. Consider the case you want to redeploy your application.

MaVRoSCy
  • 17,747
  • 15
  • 82
  • 125
  • Thank You Sir! for your reply. With reference to your reply regarding point 4 is very important and I forgot the case that you have mentioned. But what is your opinion if I create directory at the same level where my Web Application Folder is placed instead of creating inside Web Application Folder. Can I give the path to this folder and able to create sub directory in this folder? – Param-Ganak Oct 04 '12 at 12:24
  • I would recommend not to create the directory in the server's installation folders in the case you upgrade your server version or change it entirely. I am leaving behind the security issues.... I would create a directory structure in a separate drive (partition) and have this path hard-coded in a property file in my application. – MaVRoSCy Oct 04 '12 at 12:47
  • Thank You Sir! You have again point out one of the important issue in my design. As mention in your above comment creating directory structure on separate drive is good but as you said it may be unsecured. So If I have created another a separate FTP for storing file and whenever the user uploads file my application will going to connect to the above FTP, will create new directory and upload the file in it. So there will be no issue on appln redeployment, server upgradation or security threat. What is your opinion on this. comment will be continued to in next comment – Param-Ganak Oct 04 '12 at 13:40
  • previous comment is continued here.. and whenever user want to see the file I will give path to this FTP host and file will be fetched to client user browser for display. – Param-Ganak Oct 04 '12 at 13:42
  • 1
    hm... give a link to an open ftp server to the user? Where is the security here? If the ftp is password protected then the user must supply credentials. That's not good IMO. I would recommend the option where you store it in a separate partition (hdd) on the server machine, or a networking place accessible by the server. – MaVRoSCy Oct 04 '12 at 13:55
  • Thank You Sir for your guidance. If I faced any more issues I will definitely come back to you for guidance again. Thank You Very Much – Param-Ganak Oct 04 '12 at 14:11