I'm looking for advice on the most professional way to incorporate the ability to download binary files from a J2EE web application. In such an application there would be the following requirements: 1) A client of the application must authenticate before being allowed to download anything, 2) the binary files would preferably be located external to the web application directory
In general, I know that I can store the binary files inside of the web application directory and link to the files directly. I could put them in a directory that is protected by a security-constraint in the descriptor file, satisfying requirement 1 but then the web archive would grow with the number and size of the binary files I'm storing. That I don't want. Hence, requirement 2. I could copy the binaries into the web application structure after it has been deployed but that sounds clumsy and not optimal.
In addition to the binary file itself, the web application would also present the client with a view that shows some information about the file like date, size, and description. I know how to store this data in a database along with the binary file in a BLOB column. I could satisfy requirements 1 and 2 using this approach but I don't want the database to bloat considering that I plan to have hundreds or even thousands of MB's worth of binary files. I've also read that this approach wouldn't be a good idea performance-wise.
So I'm open to suggestions as to the best way to handle this problem. Any help would be appreciated.
If it helps, my applications will be deployed using Tomcat 6 and I'm using a Linux server.
Thank you for your advice. In terms of storing the binary files externally, would you advise for or against storing them in a database? If there is a better alternative to storing them in a database, please advise. Thank you.
I would also vote for store the files outside of the web application, and also database.
You can still use a database to maintain the index of files and related information (security?) but it is much easier when the actual file resides on a physical disk.
As for controlling access, if you insist that all access to the files goes through a single point (your file download servlet) then thats the obvious place to put your security. You can then limit explicitly which files can be accessed via code.