Enhanced File UploadDmitry Krivaltsevich
AgendaWhat we will talk about:
• How to upload files to the server• Java security model. Escape from the sandbox• POST-requests. Chunked or fixed-length?• Multi threaded applet VS single threaded JS
HTML4. Form submit
HTML4. Form submitImplementation:
hidden iframe
form target
HTML4. Form submit
Pros:• Native• Easy to implement
Cons:• Multiple file selection: not supported• Directory traversal: not supported• Drag & Drop from FS: not supported
HTML5. JS (File API + AJAX)Google use it for Google docs
HTML5. JS (File API + AJAX)
HTML5. JS (File API + AJAX)
• <input type="file" multiple=""/>• File API
Pros:• Multiple file selection• One input field for all files• Pre-processing files on client side
Implementation:
Cons:• Firefox 3.6.*: several implementation issues• IE: not supported• Directory traversal: not supported
Flash uploaderFacebook
Flash uploaderImplementation:• Embedded flash-object
Pros:• Multiple file selection• Various browsers: flash-plugin required
Cons:• Directory traversal: not supported
Java applet
ABC app
Google docs
Java appletHTML template
Java appletHTML template
HTTP-Only cookies
Java security model
JVM Sandbox
Classloader
Local or remote code (usigned / signed)
Security policy
Valuable resources (files, etc)
Escape from the sandbox
Signing
• Create keystore• Create private key• Create signed/self-signed certificate• Sign applet
Escape from the sandbox
Create key and certificate
Sign JAR
Escape from the sandboxSigning in ant
Escape from the sandboxSigning in maven
Escape from the sandbox
HTTP-POST Request
1 Boundary
1
1
1
2 Fixed-Length
2
3 Field name
3
4 Filename and directory path
4
Transfer-Encoding: chunkedExample
Explanation
Drag & Drop
Applet – JavaScript interactions
Multi threaded applet VS single threaded JS
Thread #1
Thread #2
Thread #3
JVM
Thread #3Thread #1Thread #1Thread #3Thread #2
JSThread #1
JSqueue
Upload appletImplementation:• Java-applet
Pros:• Multiple file and directories selection• Directory traversal• Drag & drop directly from File System
Cons:• Java & Java plugin required• Mac OS X: works only in Safari
Do you have any questions?
Thanks!
