Restricting File Uploads

Several dialogs in JasperReports Server prompt the user to upload a file to the server. For performance and security reasons, you may want to restrict file uploads by name and size.

The following setting is the global file upload limit for the entire server. Any single upload that exceeds this limit will trigger an error and a stack trace message. It's intended to be an absolute maximum to prevent a worse out-of-memory error that affects the entire server.

Global File Size Upload Limit

Configuration File

…/WEB-INF/js.config.properties

Property

Value

Description

file.upload.max.size

-1 <default>

Maximum size in bytes allowed for any file upload. The default value, -1, means there is no limit to the file size, and a large enough file could cause an out-of-memory error in the JVM. Some file uploads such as importing through the UI are necessarily large and must be taken into account. Set this value larger than your largest expected import and less than your available memory.

The following settings apply to most file upload dialogs in the user interface, such as uploading a JRXML or a JAR file to create a JasperReport in the repository. These settings in the fileResourceValidator bean restrict the file size and the filename pattern.

File Upload Restrictions

Configuration File

…/WEB-INF/flows/fileResourceBeans.xml

Property

Value

Description

maxFileSize

-1 <default>

Maximum size in bytes allowed for a file uploaded through most UI dialogs. If an upload exceed this limit, the server displays a helpful error message. The default value, -1, means there is no limit to the file size, and an upload could reach the global limit if set, or an out-of-memory error. Usually, files required in resources are smaller, and a limit of 10 MB is reasonable.

fileNameRegexp ^.+$ <default> A regular expression that matches allowed file names. The default expression matches all filenames of one or more characters. A more restrictive expression such as [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10} would limit uploads to alpha-numeric names with an extension.
fileName
ValidationMessageKey
<null/> <default>

The name of a Java property key whose value is a custom message to display when the uploaded filename does not match fileNameRegexp. For example, you could add the following line to WEB-INF/js.config.properties:

my.filename.validation=The name of the uploaded filename must contain only alphanumeric characters and have a valid extension.

The following setting restricts the extension of the uploaded file. The upload dialogs will browse only for files with the given extensions. Add or remove extensions to change the file type restrictions:

File Upload Extensions

Configuration File

<jasperserver-pro-war>/scripts/resource.locate.js

Property

Value

ALLOWED_FILE_
RESOURCE_EXTENSIONS

By default, the following extensions are allowed:

"css", "ttf", "jpg", "jpeg", "gif", "bmp", "png", "jar", "jrxml", "properties", "jrtx", "xml", "agxml", "docx", "doc", "ppt", "pptx", "xls", "xlsx", "ods", "odt", "odp", "pdf", "rtf", "html"

Version: 
Feedback
randomness