Headless Server Developer Manual / Version 2304
Table Of Contents
The MediaController is responsible for the delivery of binary contents like images and other content types.
For security reasons, the Spring framework sets the HTTP Content-Disposition response header to the static value
inline; filename=f.txt
for potentially insecure document types, e.g PDF files, unless it was
specifically set previously.
This behaviour may produce undesirable results when downloading files via the MediaController, as the filename is
anonymous and the document type is forced to the suffix txt
, no matter what the real document type might be.
It is however possible to configure Spring to suppress this default behaviour for specific document types, using
CaasConfig
.
/** * Code example to suppress the default Content-Disposition header for * potentially insecure document types. Add to CaasConfig if necessary. */ @Override public void configureContentNegotiation( ContentNegotiationConfigurer configurer ) { configurer.mediaType("pdf", MediaType.APPLICATION_PDF); configurer.mediaType("eps", new MediaType("application", "postscript")); }
Example 3.2. Configuring Content Type Resolution for PDF and EPS Files
Please see the original Spring Web MVC Documentation about Content Types for a more detailed insight about the security aspects and about so called reflected file download attacks (RFD).
Also refer to Chapter 12, Media Endpoint about how the MediaController
sets the
Content-Disposition response header.