This one requires a bit of explaination.
When writing a Servlet that will enable users to upload files from a form you need to be able to limit both the size of the file(s) and the entire multipart/form-data request. The Servlet 3.0 spec now includes a @MultipartConfig annotation (which can also be specified in web.xml, see other post in this blog).
Based on the Servlet 3.0 spec here is what is supposed to happen.
- The user submits a multi-part form that exceeds any of upload limitation parameters in the @MultipartConfig annotation.
- An attempt in the doPost method of the Servlet to invoke a Collection<Part> parts = request.getParts(); should throw an IllegalStateException enabling the Servlet to respond to the client and somehow communicate that the multi-part message was too large.
However, if within the doPost method a request.getParameter([param_name]) is invoked on the request object BEFORE attempting to invoke request.getParts(), the Servlet will not throw an IllegalStateException if any of the parameters in the MultipartConfig have been exceeded. Instead, .getParts() returns a Collection of 0 parts, and without the Exception you have no idea why the multipart POST failed.
If request.getParameter([param_name]) is invoked on the request object AFTER the first attempt to invoke request.getParts(), .getParts() will throw an IllegalStateException with the details about why the POST failed if any any of the parameters in the MultipartConfig have been exceeded.
This took me quite a while to track down.
The long and the short of it is that if you want to be able to check to make sure that any of the @MultipartConfig limitations are exceeded on the server-side (which you should) you MUST invoke request.getParts()before attempting to read any query string values.
Certainly, there will be those that will say ‘why not just check all of this on the client-side in JavaScript?’. To which I would say, that is absolutely what you should do. However, you should always double-check on the server-side to prevent someone who has managed to circumvent your client-side form validation. Furthermore, there are a number of very slick and easy JavaScript implementations to do this that do not work in various versions of IE.