close

Filter

loading table of contents...

Headless Server Developer Manual / Version 2207

Table Of Contents

3.5.6 MediaType Content Negotiation

The MediaController is responsible for the delivery of binary contents like images and other document types. For security reasons, the Spring framework sets the HTTP Content-Disposition response header to the static value inline; filename=f.txt for potentially insecure document types, e.g PDF files, unless it was specifically set previously.

This behaviour may produce undesirable results when downloading files via the MediaController, as the filename is anonymous and the document type is forced to the suffix txt, no matter what the real document type might be.

It is however possible to configure Spring to suppress this default behaviour for specific document types, using CaasConfig.

/**
 * Code example to suppress the default Content-Disposition header for
 * potentially insecure document types. Add to CaasConfig if necessary.
 */
@Override
public void configureContentNegotiation(
  ContentNegotiationConfigurer configurer
) {
  configurer.mediaType("pdf", MediaType.APPLICATION_PDF);
  configurer.mediaType("eps", new MediaType("application", "postscript"));
}

Example 3.2. Configuring Content Type Resolution for PDF and EPS Files


Please see the original Spring Web MVC Documentation about Content Types for a more detailed insight about the security aspects and about so called reflected file download attacks (RFD).

Also refer to Chapter 12, Media Endpoint about how the MediaController sets the Content-Disposition response header.

Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.