Spring MVC:资源访问外部文件夹 [英] Spring mvc:resources access to outside folder

问题描述

我已经将媒体(图片和电影)存储在一个文件夹中(例如C:\ test \ tes.png)，并且我尝试使用url这样的图片来访问图片:

I have stored medias (pictures and movies) in a folder (for example C:\test\tes.png) and I'm trying to access to pictures with an url like : http://localhost:8080/app/picture/test.png. To do that, i have used resources tag (spring 3) as below :

<mvc:resources mapping="/picture/**" location="file:/test" />

当我尝试访问时，出现错误，没有更多详细信息.

When I try to access, I have an error with no more details.

找不到请求的资源

Requested Resource Not Found

我在日志中:

2011-11-07 20:48:55,241 [http-8080-2]调试org.springframework.web.servlet.DispatcherServlet-名称为'Family'的DispatcherServlet处理[/Family/photos/testImage2.png ] 2011-11-07 20:48:55,241 [http-8080-2]调试org.springframework.web.servlet.handler.SimpleUrlHandlerMapping-请求[/photos/testImage2.png]的匹配模式为[/**] 2011-11-07 20:48:55,241 [http-8080-2]调试org.springframework.web.servlet.handler.SimpleUrlHandlerMapping-请求[/photos/testImage2.png]的URI模板变量为{} 2011-11-07 20:48:55,242 [http-8080-2]调试org.springframework.web.servlet.handler.SimpleUrlHandlerMapping-使用处理程序[org.springframework.web]将[/photos/testImage2.png]映射到HandlerExecutionChain. servlet.resource.DefaultServletHttpRequestHandler@3a779f5e]和4个拦截器 2011-11-07 20:48:55,242 [http-8080-2]调试org.springframework.web.servlet.DispatcherServlet-[/Family/photos/testImage2.png]的最后修改值为:-1 2011-11-07 20:48:55,242 [http-8080-2]调试org.springframework.web.servlet.DispatcherServlet-空ModelAndView返回给DispatcherServlet，名称为"Family":假设HandlerAdapter完成了请求处理 2011-11-07 20:48:55,242 [http-8080-2]调试org.springframework.web.servlet.DispatcherServlet-成功完成请求

2011-11-07 20:48:55,241 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'Family' processing GET request for [/Family/photos/testImage2.png] 2011-11-07 20:48:55,241 [http-8080-2] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Matching patterns for request [/photos/testImage2.png] are [/**] 2011-11-07 20:48:55,241 [http-8080-2] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - URI Template variables for request [/photos/testImage2.png] are {} 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Mapping [/photos/testImage2.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler@3a779f5e] and 4 interceptors 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/Family/photos/testImage2.png] is: -1 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'Family': assuming HandlerAdapter completed request handling 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - Successfully completed request

我当然不是所有人都知道...

I have certainly not all understand...

另一个问题:我不确定这是否是好方法.访问外部文件夹上的媒体还有哪些其他解决方案?

Another question : I'm not sure this is the good approach. What are others solutions to access to media on external folder ?

提前谢谢！

推荐答案

第一个问题:映射"

我不确定100％，但是我猜想，该位置缺少最后一个/. 更改为:

I am not 100% sure, but I would guess, there is a final / missing for the location. change it to:

<mvc:resources mapping="/picture/**" location="file:/test/" />

另一个问题:我不确定这是否是好方法.访问外部文件夹上的媒体还有哪些其他解决方案?

Another question : I'm not sure this is the good approach. What are others solutions to access to media on external folder ?

以我的拙见，向网站用户授予对文件夹的完全读取访问权限是非常不好的做法.注意访问不仅限于文件夹，而且用户还可以访问所有子文件夹.

In my humble opinion, it is very bad practice to give an web site user full read access to an folder. Attention the access is not only limited to the folder, but the user can also access all sub folders.

*即使您决定忽略此警告，也必须测试如果某些使用调用http://localhost:8080/app/picture/../someFile会发生什么.**我不知道会发生什么，但是**请确保120％确保没有人可以访问picture文件夹之外的任何文件！ -我已经研究过spring的实现，它表明spring已经解决了这个问题.* 从Spring 3.2.12，4.0.8，4.1.2开始，资源处理程序确保您已经一个不能访问指定资源文件夹之外的文件夹. ( SPR-12354:使用静态资源处理的目录遍历(CVE-2014-3625))

*And even if you decided to ignore this warning, then you must test what happen if some use invoke http://localhost:8080/app/picture/../someFile.** I don't know what would happen, but **make 120% sure that nobody can access any file outside the picture Folder! -- I have had a look into the spring implementation, and it seams that spring already handle this issue.*Since Spring 3.2.12, 4.0.8, 4.1.2 the Resource Handler make sure that you an not access an folder outside the specified resource folder. (SPR-12354: Directory traversal with static resource handling (CVE-2014-3625))

这篇关于Spring MVC:资源访问外部文件夹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！