Fork me on GitHub
Edit on GitHub << back to File Upload Interceptor

File Upload

Since Struts 6.4.0 the FileUploadInterceptor is deprecated, and you should use ActionFileUploadInterceptor instead!

The Struts 2 framework provides built-in support for processing file uploads that conform to RFC 1867, “Form-based File Upload in HTML”. When correctly configured the framework will pass uploaded file(s) into your Action class. Support for individual and multiple file uploads are provided. When a file is uploaded it will typically be stored in a temporary directory. Uploaded files should be processed or moved by your Action class to ensure the data is not lost. Be aware that servers may have a security policy in place that prohibits you from writing to directories other than the temporary directory and the directories that belong to your web application.

Dependencies

The Struts 2 framework leverages the Commons FileUpload library as a based library to support file upload in the framework. The library is included in a base Struts 2 distribution.

Basic Usage

The org.apache.struts2.interceptor.FileUploadInterceptor interceptor is included as part of the defaultStack and named fileUpload. As long as the required libraries are added to your project you will be able to take advantage of the Struts 2 file upload capability. Configure an Action mapping for your Action class as you typically would.

Example action mapping:

<action name="doUpload" class="com.example.UploadAction">
    <result name="success">good_result.jsp</result>
</action>

A form must be created with a form field of type file, <INPUT type="file" name="upload">. The form used to upload the file must have its encoding type set to multipart/form-data, <form action="doUpload" enctype="multipart/form-data" method="post">. The standard procedure for adding these elements is by using the Struts 2 tag libraries as shown in the following example:

Example JSP form tags:

<s:form action="doUpload" method="post" enctype="multipart/form-data">
    <s:file name="upload" label="File"/>
    <s:submit/>
</s:form>

The fileUpload interceptor will use setter injection to insert the uploaded file and related data into your Action class. For a form field named upload you would provide the three setter methods shown in the following example:

Example Action class:

package com.example;

import java.io.File;

import com.opensymphony.xwork2.ActionSupport;

public class UploadAction extends ActionSupport {
    private File file;
    private String contentType;
    private String filename;

    @StrutsParameter
    public void setUpload(File file) {
        this.file = file;
    }

    @StrutsParameter
    public void setUploadContentType(String contentType) {
        this.contentType = contentType;
    }

    @StrutsParameter
    public void setUploadFileName(String filename) {
        this.filename = filename;
    }

    public String execute() {
        //...
        return SUCCESS;
    }
}

The purpose of each one of these methods is described in the table below. Notice that if you have multiple file form elements with different names you would be required to have another corresponding set of these methods for each file uploaded.

Method Signature Description
setX(File file) The file that contains the content of the uploaded file. This is a temporary file and file.getName() will not return the original name of the file
setXContentType(String contentType) The mime type of the uploaded file
setXFileName(String fileName) The actual file name of the uploaded file (not the HTML name)

Uploading Multiple Files

As mentioned in the previous section one technique for uploading multiple files would be to simply have multiple form input elements of type file all with different names. This would require a number of setter methods that was equal to 3 times the number of files being uploaded. Another option is to use Arrays or java.util.Lists. The following examples are taken from the Showcase example application that is part sample applications you can download at http://struts.apache.org/download.cgi. For the Action mapping details see struts-fileupload.xml in the sample application download.

Uploading Multiple Files using Arrays

multipleUploadUsingArray.jsp Notice all file input types have the same name.

<s:form action="doMultipleUploadUsingArray" method="POST" enctype="multipart/form-data">
    <s:file label="File (1)" name="upload"/>
    <s:file label="File (2)" name="upload"/>
    <s:file label="FIle (3)" name="upload"/>
    <s:submit cssClass="btn btn-primary"/>
</s:form>

MultipleFileUploadUsingArrayAction.java

public class MultipleFileUploadUsingArrayAction extends ActionSupport {
    private File[] uploads;
    private String[] uploadFileNames;
    private String[] uploadContentTypes;

    public String upload() throws Exception {
        System.out.println("\n\n upload2");
        System.out.println("files:");
        for (File u : uploads) {
            System.out.println("*** " + u + "\t" + u.length());
        }
        System.out.println("filenames:");
        for (String n : uploadFileNames) {
            System.out.println("*** " + n);
        }
        System.out.println("content types:");
        for (String c : uploadContentTypes) {
            System.out.println("*** " + c);
        }
        System.out.println("\n\n");
        return SUCCESS;
    }

    public File[] getUpload() {
        return this.uploads;
    }

    @StrutsParameter
    public void setUpload(File[] upload) {
        this.uploads = upload;
    }

    public String[] getUploadFileName() {
        return this.uploadFileNames;
    }

    @StrutsParameter
    public void setUploadFileName(String[] uploadFileName) {
        this.uploadFileNames = uploadFileName;
    }

    public String[] getUploadContentType() {
        return this.uploadContentTypes;
    }

    @StrutsParameter
    public void setUploadContentType(String[] uploadContentType) {
        this.uploadContentTypes = uploadContentType;
    }
}

Uploading Multiple Files using Lists

multipleUploadUsingList.jsp Notice all file input types have the same name.

<s:form action="doMultipleUploadUsingList" method="POST" enctype="multipart/form-data">
    <s:file label="File (1)" name="upload"/>
    <s:file label="File (2)" name="upload"/>
    <s:file label="FIle (3)" name="upload"/>
    <s:submit cssClass="btn btn-primary"/>
</s:form>

MultipleFileUploadUsingListAction.java

public class MultipleFileUploadUsingListAction extends ActionSupport {
    private List<File> uploads = new ArrayList<File>();
    private List<String> uploadFileNames = new ArrayList<String>();
    private List<String> uploadContentTypes = new ArrayList<String>();

    public List<File> getUpload() {
        return this.uploads;
    }

    @StrutsParameter
    public void setUpload(List<File> uploads) {
        this.uploads = uploads;
    }

    public List<String> getUploadFileName() {
        return this.uploadFileNames;
    }

    @StrutsParameter
    public void setUploadFileName(List<String> uploadFileNames) {
        this.uploadFileNames = uploadFileNames;
    }

    public List<String> getUploadContentType() {
        return this.uploadContentTypes;
    }

    @StrutsParameter
    public void setUploadContentType(List<String> contentTypes) {
        this.uploadContentTypes = contentTypes;
    }

    public String upload() throws Exception {
        System.out.println("\n\n upload1");
        System.out.println("files:");
        for (File u : uploads) {
            System.out.println("*** " + u + "\t" + u.length());
        }
        System.out.println("filenames:");
        for (String n : uploadFileNames) {
            System.out.println("*** " + n);
        }
        System.out.println("content types:");
        for (String c : uploadContentTypes) {
            System.out.println("*** " + c);
        }
        System.out.println("\n\n");
        return SUCCESS;
    }
}

Advanced Configuration

The Struts 2 default.properties file defines several settings that affect the behavior of file uploading. You may find it necessary to change these values. The names and default values are:

struts.multipart.parser=jakarta
struts.multipart.saveDir= # Filesystem location to save parsed request data
struts.multipart.maxSize=2097152 # Max combined size of files per request
struts.multipart.maxFiles=256 # Max number of files per request
struts.multipart.maxFileSize= # Max size per file per request
struts.multipart.maxStringLength=4096 # Max length of a string parameter (a normal field) in a multipart request (since Struts 6.1.2.1)

You can also set the max options to unlimited by setting their value to -1, but please see the sections below for further details on these options first.

Files Number Limit

Since Struts 6.1.2 a new option was added, which uses Commons FileUpload feature to limit how many files can be uploaded at once, in one request. This option requires to use Commons FileUpload ver. 1.5 at least and by default is set to 256. Please always set this to a finite value to prevent DoS attacks.

To change this value define a constant in struts.xml as follows:

<struts>
    <constant name="struts.multipart.maxFiles" value="500"/>
</struts>

File Size Limits

There are multiple methods to enforce file size limits.

There is struts.multipart.maxSize which is loaded from the Struts configuration. This setting exists for security reasons to prohibit a malicious user from uploading extremely large files to fill up your server’s disk space. This setting defaults to approximately 2MB and should be adjusted to the maximum size (2GB) that you expect to parse. If you are uploading more than one file in a single request, the struts.multipart.maxSize applies to the combined total, not the individual files.

There is also struts.multipart.maxFileSize which is not enforced by default, but can be enabled to enforce a max size on a per-file basis.

The other setting, maximumSize, is an interceptor setting that is used to ensure a particular Action does not receive a file that is too large. Note that the aforementioned settings are applied at the request parsing level and take precedence over this interceptor setting.

Notice the locations of these settings in the following example:

<struts>
    <constant name="struts.multipart.maxSize" value="1000000"/>
    <constant name="struts.multipart.maxFileSize" value="750000"/>

    <action name="doUpload" class="com.example.UploadAction">
        <interceptor-ref name="basicStack"/>
        <interceptor-ref name="actionFileUpload">
            <param name="maximumSize">500000</param>
        </interceptor-ref>
        <interceptor-ref name="validation"/>
        <interceptor-ref name="workflow"/>

        <result name="success">good_result.jsp</result>
    </action>
</struts>

Normal Field Size Limit

Since Struts 6.1.2.1 a new option has been introduced to limit the size of a normal string field in the multipart request. The defeault limit is set to 4096 bytes:

struts.multipart.maxStringLength=4096

This options prevents attacks, which consists of multiple large objects in the multipart request. Such attack can exhaust the available memory and finally produce OutOfMemoryException. If the limit is too low you can increase it by defining the following constant in struts.xml:

<struts>
    <constant name="struts.multipart.maxStringLength" value="10000"/>

    <action name="doUpload" class="com.example.UploadAction">
          ...
    </action>
</struts>

File Types

There are two ways to limit the uploaded file type, decoratively and programmatically. To decoratively limit the file type a comma separated list of allowedTypes can be specified as a fileUpload interceptor param as shown in the following example:

<action name="doUpload" class="com.example.UploadAction">
    <interceptor-ref name="basicStack"/>
    <interceptor-ref name="actionFileUpload">
        <param name="allowedTypes">image/jpeg,image/gif</param>
    </interceptor-ref>
    <interceptor-ref name="validation"/>
    <interceptor-ref name="workflow"/>

    <result name="success">good_result.jsp</result>
</action>

When the uploaded file type does not match one of the MIME types specified a field error will be created as described in the next section entitled Error Messages. Programmatically limiting the file type means using the information passed in to your Action class via the setXContentType(String contentType) method. The benefit to this type of approach would be that it’s more flexible and no interceptor configuration would be needed if file sizes are keep under 2 megs.

Error Messages

If an error occurs several field errors will be added assuming that the action implements com.opensymphony.xwork2.ValidationAware or extends com.opensymphony.xwork2.ActionSupport. These error messages are based on several i18n values stored in struts-messages.properties, a default i18n file processed for all i18n requests. You can override the text of these messages by providing text for the following keys:

Error Key Description
struts.messages.error.uploading A general error that occurs when the file could not be uploaded
struts.messages.error.file.too.large Occurs when the uploaded file is too large as specified by maximumSize.
struts.messages.error.content.type.not.allowed Occurs when the uploaded file does not match the expected content types specified
struts.messages.error.file.extension.not.allowed Occurs when uploaded file has disallowed extension
struts.messages.upload.error.SizeLimitExceededException Occurs when the upload request (as a whole) exceed configured struts.multipart.maxSize
struts.messages.upload.error.FileSizeLimitExceededException Occurs when a file within the upload request exceeds configured struts.multipart.maxFileSize
struts.messages.upload.error.FileCountLimitExceededException Occurs when the number of files in the upload request exceeds configured struts.multipart.maxFiles
struts.messages.upload.error.<Exception class SimpleName> Occurs when any other exception took place during file upload process

Temporary Directories

All uploaded files are saved to a temporary directory by the framework before being passed in to an Action. Depending on the allowed file sizes it may be necessary to have the framework store these temporary files in an alternate location. To do this change struts.multipart.saveDir to the directory where the uploaded files will be placed. If this property is not set it defaults to javax.servlet.context.tempdir. Keep in mind that on some operating systems, like Solaris, /tmp is memory based and files stored in that directory would consume an amount of RAM approximately equal to the size of the uploaded file.

Alternate Libraries

The struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework needing only its required libraries added to a project. The pell parser uses Jason Pell’s multipart parser instead of the Commons-FileUpload library. The pell parser is a Struts 2 plugin, for more details see: Pell multipart plugin. There was a third alternative, cos, but it was removed due to licensing incompatibilities.

As from Struts version 2.3.18 a new implementation of MultiPartRequest was added - JakartaStreamMultiPartRequest. It can be used to handle large files, see WW-3025 for more details, but you can simple set

<constant name="struts.multipart.parser" value="jakarta-stream" />

in struts.xml to start using it.

Request validation

The struts.multipart.validationRegex is used to define a RegEx to be used to validate if the incoming request is a multipart request. The request must use the POST method and match the RegEx, by default the RegEx is defined as follow:

^multipart/form-data(?:\\s*;\\s*boundary=[0-9a-zA-Z'()+_,\\-./:=?]{1,70})?(?:\\s*;\\s*charset=[a-zA-Z\\-0-9]{3,14})?

Please read RFC1341 the Multipart section for more details, existing Struts Multipart parsers support only multipart/form-data content type. This option is available since Struts 2.3.11.

Disabling file upload support

You can alternatively disable the whole file upload mechanism defining a constant in struts.xml:

<constant name="struts.multipart.enabled" value="false"/>

With this constant in place, Struts will ignore a Content-Type header and will treat each request as an ordinary http request. This option is available since Struts 2.3.11.

Follow @x