projects / pithos / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix the authentication sequence in requests of a file or a folder which is public...
[pithos] / src / gr / ebs / gss / server / rest / FilesHandler.java
diff --git a/src/gr/ebs/gss/server/rest/FilesHandler.java b/src/gr/ebs/gss/server/rest/FilesHandler.java
index ca54d50..0366a90 100644 (file)
--- a/src/gr/ebs/gss/server/rest/FilesHandler.java
+++ b/src/gr/ebs/gss/server/rest/FilesHandler.java
@@ -18,12 +18,14 @@
  */
 package gr.ebs.gss.server.rest;
 
+import static gr.ebs.gss.server.configuration.GSSConfigurationFactory.getConfiguration;
 import gr.ebs.gss.client.exceptions.DuplicateNameException;
 import gr.ebs.gss.client.exceptions.GSSIOException;
 import gr.ebs.gss.client.exceptions.InsufficientPermissionsException;
 import gr.ebs.gss.client.exceptions.ObjectNotFoundException;
 import gr.ebs.gss.client.exceptions.QuotaExceededException;
 import gr.ebs.gss.client.exceptions.RpcException;
+import gr.ebs.gss.server.Login;
 import gr.ebs.gss.server.domain.FileUploadStatus;
 import gr.ebs.gss.server.domain.User;
 import gr.ebs.gss.server.domain.dto.FileBodyDTO;
@@ -32,7 +34,9 @@ import gr.ebs.gss.server.domain.dto.FolderDTO;
 import gr.ebs.gss.server.domain.dto.GroupDTO;
 import gr.ebs.gss.server.domain.dto.PermissionDTO;
 import gr.ebs.gss.server.ejb.ExternalAPI;
+import gr.ebs.gss.server.ejb.TransactionHelper;
 import gr.ebs.gss.server.webdav.Range;
+import gr.ebs.gss.server.webdav.RequestUtil;
 
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
@@ -51,9 +55,11 @@ import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashSet;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 import java.util.StringTokenizer;
@@ -62,9 +68,11 @@ import java.util.concurrent.Callable;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletOutputStream;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.fileupload.FileItemIterator;
 import org.apache.commons.fileupload.FileItemStream;
 import org.apache.commons.fileupload.FileUploadException;
@@ -130,12 +138,35 @@ public class FilesHandler extends RequestHandler {
        private ServletContext context;
 
        /**
+        * The style sheet for displaying the directory listings.
+        */
+       private static final String GSS_CSS = "H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} " + "H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} " + "H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} " + "BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} " + "B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} " + "P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}" + "A {color : black;}" + "A.name {color : black;}" + "HR {color : #525D76;}";
+
+
+       /**
         * @param servletContext
         */
        public FilesHandler(ServletContext servletContext) {
                context = servletContext;
        }
 
+       private void updateAccounting(final User user, final Date date, final long bandwidthDiff) {
+               try {
+                       new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                               @Override
+                               public Void call() throws Exception {
+                                       getService().updateAccounting(user, date, bandwidthDiff);
+                                       return null;
+                               }
+                       });
+               } catch (RuntimeException e) {
+                       throw e;
+               } catch (Exception e) {
+                       // updateAccounting() doesn't throw any checked exceptions
+                       assert false;
+               }
+       }
+
        /**
      * Serve the specified resource, optionally including the data content.
      *
@@ -164,7 +195,7 @@ public class FilesHandler extends RequestHandler {
                }
        String progress = req.getParameter(PROGRESS_PARAMETER);
 
-       if (logger.isDebugEnabled())
+       if (logger.isDebugEnabled())                    
                        if (content)
                        logger.debug("Serving resource '" +     path + "' headers and data");
                else
@@ -172,7 +203,6 @@ public class FilesHandler extends RequestHandler {
 
        User user = getUser(req);
        User owner = getOwner(req);
-       if (user == null) user = owner;
         boolean exists = true;
         Object resource = null;
         FileHeaderDTO file = null;
@@ -186,89 +216,135 @@ public class FilesHandler extends RequestHandler {
                        return;
                }
 
-       if (!exists) {
-                       if (authDeferred) {
-                               // We do not want to leak information if the request
-                               // was not authenticated.
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                               return;
-                       }
-               // A request for upload progress.
-               if (progress != null && content) {
-                       serveProgress(req, resp, progress, user, null);
-                               return;
-               }
-
-               resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI());
+       if (!exists && authDeferred) {
+               // We do not want to leak information if the request
+               // was not authenticated.
+               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
                return;
        }
 
        if (resource instanceof FolderDTO)
                folder = (FolderDTO) resource;
        else
-               file = (FileHeaderDTO) resource;
+               file = (FileHeaderDTO) resource;        // Note that file will be null, if (!exists).
 
        // Now it's time to perform the deferred authentication check.
                // Since regular signature checking was already performed,
                // we need to check the read-all flag or the signature-in-parameters.
                if (authDeferred)
                        if (file != null && !file.isReadForAll() && content) {
+                               logger.debug("this case refers to a file with no public privileges");
                                // Check for GET with the signature in the request parameters.
                                String auth = req.getParameter(AUTHORIZATION_PARAMETER);
                                String dateParam = req.getParameter(DATE_PARAMETER);
                                if (auth == null || dateParam == null) {
-                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                                       return;
-                               }
+                                       // Check for a valid authentication cookie.
+                                       if (req.getCookies() != null) {
+                                               boolean found = false;
+                                               for (Cookie cookie : req.getCookies())
+                                                       if (Login.AUTH_COOKIE.equals(cookie.getName())) {
+                                                               String cookieauth = cookie.getValue();
+                                                               int sepIndex = cookieauth.indexOf(Login.COOKIE_SEPARATOR);
+                                                               if (sepIndex == -1) {
+                                                                       handleAuthFailure(req, resp);
+                                                                       return;
+                                                               }
+                                                               String username = URLDecoder.decode(cookieauth.substring(0, sepIndex), "US-ASCII");
+                                                               user = null;
+                                                               try {
+                                                                       user = getService().findUser(username);
+                                                               } catch (RpcException e) {
+                                                               resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+                                                                       return;
+                                                               }
+                                                               if (user == null) {
+                                                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                                               return;
+                                                       }
+                                                               req.setAttribute(USER_ATTRIBUTE, user);
+                                                               String token = cookieauth.substring(sepIndex + 1);
+                                                               if (user.getAuthToken() == null) {
+                                                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                                                       return;
+                                                               }
+                                                               if (!Arrays.equals(user.getAuthToken(), Base64.decodeBase64(token))) {
+                                                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                                                       return;
+                                                               }
+                                                               found = true;
+                                                               break;
+                                                       }
+                                               if (!found) {
+                                                       handleAuthFailure(req, resp);
+                                                       return;
+                                               }
+                                       } else {
+                                               handleAuthFailure(req, resp);
+                                               return;
+                                       }
+                               } else {
+                               long timestamp;
+                                       try {
+                                               timestamp = DateUtil.parseDate(dateParam).getTime();
+                                       } catch (DateParseException e) {
+                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+                                       return;
+                                       }
+                               if (!isTimeValid(timestamp)) {
+                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                       return;
+                               }
 
-                       long timestamp;
-                               try {
-                                       timestamp = DateUtil.parseDate(dateParam).getTime();
-                               } catch (DateParseException e) {
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
-                               return;
-                               }
-                       if (!isTimeValid(timestamp)) {
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                               return;
-                       }
-
-                               // Fetch the Authorization parameter and find the user specified in it.
-                               String[] authParts = auth.split(" ");
-                               if (authParts.length != 2) {
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                               return;
-                       }
-                               String username = authParts[0];
-                               String signature = authParts[1];
-                               user = null;
-                               try {
-                                       user = getService().findUser(username);
-                               } catch (RpcException e) {
-                               resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
-                                       return;
+                                       // Fetch the Authorization parameter and find the user specified in it.
+                                       String[] authParts = auth.split(" ");
+                                       if (authParts.length != 2) {
+                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                       return;
+                               }
+                                       String username = authParts[0];
+                                       String signature = authParts[1];
+                                       user = null;
+                                       try {
+                                               user = getService().findUser(username);
+                                       } catch (RpcException e) {
+                                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+                                               return;
+                                       }
+                                       if (user == null) {
+                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                       return;
+                               }
+                                       req.setAttribute(USER_ATTRIBUTE, user);
+
+                                       // Remove the servlet path from the request URI.
+                                       String p = req.getRequestURI();
+                                       String servletPath = req.getContextPath() + req.getServletPath();
+                                       p = p.substring(servletPath.length());
+                                       // Validate the signature in the Authorization parameter.
+                                       String data = req.getMethod() + dateParam + p;
+                                       if (!isSignatureValid(signature, user, data)) {
+                                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                       return;
+                               }
                                }
-                               if (user == null) {
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                               return;
-                       }
-                               req.setAttribute(USER_ATTRIBUTE, user);
-
-                               // Remove the servlet path from the request URI.
-                               String p = req.getRequestURI();
-                               String servletPath = req.getContextPath() + req.getServletPath();
-                               p = p.substring(servletPath.length());
-                               // Validate the signature in the Authorization parameter.
-                               String data = req.getMethod() + dateParam + p;
-                               if (!isSignatureValid(signature, user, data)) {
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                               return;
-                       }
-                       } else if (file != null && !file.isReadForAll() || file == null) {
-                               // Check for a read-for-all file request.
-                               resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-                               return;
                        }
+               else if(folder != null && folder.isReadForAll() || file != null && file.isReadForAll()){
+                       //This case refers to a folder or file with public privileges
+                       //For a read-for-all folder request, pretend the owner is making it.
+                       logger.debug("*********this case refers to a folder or file with public privileges");
+                       user = owner;
+                       req.setAttribute(USER_ATTRIBUTE, user);
+               }else if(folder != null && !folder.isReadForAll()){
+                       //this case refers to a folder with no public privileges
+                       logger.debug("*********this case refers to a folder with no public privileges");
+                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                       return;
+               }
+               else{
+                       logger.debug("*********ANY other case");
+                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                       return;
+               }
 
        // If the resource is not a collection, and the resource path
        // ends with "/" or "\", return NOT FOUND.
@@ -285,8 +361,8 @@ public class FilesHandler extends RequestHandler {
        // A request for upload progress.
        if (progress != null && content) {
                if (file == null) {
-                       resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
-                       return;
+                       resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI());
+                       return;
                }
                serveProgress(req, resp, progress, user, file);
                        return;
@@ -321,21 +397,46 @@ public class FilesHandler extends RequestHandler {
        // satisfied. Doing this for folders would require recursive checking
        // for all of their children, which in turn would defy the purpose of
        // the optimization.
-       if (folder == null)
+       if (folder == null){
                        // Checking If headers.
                if (!checkIfHeaders(req, resp, file, oldBody))
                                return;
+       }
+       else if(!checkIfModifiedSince(req, resp, folder))
+               return;
 
        // Find content type.
        String contentType = null;
+       boolean isContentHtml = false;
+       boolean expectJSON = false;
+
        if (file != null) {
                contentType = version>0 ? oldBody.getMimeType() : file.getMimeType();
                if (contentType == null) {
                        contentType = context.getMimeType(file.getName());
                        file.setMimeType(contentType);
                }
-       } else
-                       contentType = "application/json;charset=UTF-8";
+       } else { // folder != null
+               String accept = req.getHeader("Accept");
+               // The order in this conditional pessimizes the common API case,
+               // but is important for backwards compatibility with existing
+               // clients who send no accept header and expect a JSON response.
+               if (accept != null && accept.contains("text/html")) {
+                       contentType = "text/html;charset=UTF-8";
+                       isContentHtml = true;
+               }else if (accept != null && accept.contains("text/html") && !authDeferred){
+                       //this is the case when clients send the appropriate headers, the contentType is "text/html"
+                       //and expect a JSON response. The above check applies to FireGSS client
+                       contentType = "text/html;charset=UTF-8";
+                       isContentHtml = true;
+                       expectJSON = true;
+               }
+               else{
+                       contentType = "application/json;charset=UTF-8";
+                       expectJSON = true;
+               }
+               }
+
 
        ArrayList ranges = null;
        long contentLength = -1L;
@@ -388,11 +489,7 @@ public class FilesHandler extends RequestHandler {
                                else
                                        throw e;
                }
-
-       if (folder != null
-                               || (ranges == null || ranges.isEmpty())
-                                                       && req.getHeader("Range") == null
-                                                       || ranges == FULL) {
+       if (folder != null || (ranges == null || ranges.isEmpty()) && req.getHeader("Range") == null || ranges == FULL) {
                // Set the appropriate output headers
                if (contentType != null) {
                        if (logger.isDebugEnabled())
@@ -404,21 +501,31 @@ public class FilesHandler extends RequestHandler {
                                logger.debug("contentLength=" + contentLength);
                        if (contentLength < Integer.MAX_VALUE)
                                        resp.setContentLength((int) contentLength);
+
                                else
                                        // Set the content-length as String to be able to use a long
                                resp.setHeader("content-length", "" + contentLength);
                }
 
                InputStream renderResult = null;
-               if (folder != null)
-                               if (content)
-                                       // Serve the directory browser
+               String relativePath = getRelativePath(req);
+               String contextPath = req.getContextPath();
+               String servletPath = req.getServletPath();
+               String contextServletPath = contextPath + servletPath;
+               if (folder != null && content)
+                       // Serve the directory browser for a public folder
+                       if (isContentHtml && !expectJSON)
+                               renderResult = renderHtml(contextServletPath, relativePath, folder,user);
+                       // Serve the directory for an ordinary folder or for fireGSS client
+                       else
                                try {
-                                               renderResult = renderJson(user, folder);
-                                       } catch (InsufficientPermissionsException e) {
-                                               resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
-                                       return;
-                                       }
+                                       renderResult = renderJson(user, folder);
+                                       } catch (InsufficientPermissionsException e) {
+                                               resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+                                               return;
+                                       }
+
+
                // Copy the input stream to our output stream (if requested)
                if (content) {
                        try {
@@ -429,14 +536,14 @@ public class FilesHandler extends RequestHandler {
                        try {
                                if(file != null)
                                                if (needsContentDisposition(req))
-                                               resp.setHeader("Content-Disposition","attachment; filename*=UTF-8''"+URLEncoder.encode(file.getName(),"UTF-8"));
+                                               resp.setHeader("Content-Disposition","attachment; filename*=UTF-8''"+getDispositionFilename(file));
                                        else
-                                               resp.setHeader("Content-Disposition","inline; filename*=UTF-8''"+URLEncoder.encode(file.getName(),"UTF-8"));
+                                               resp.setHeader("Content-Disposition","inline; filename*=UTF-8''"+getDispositionFilename(file));
                                if (ostream != null)
                                                copy(file, renderResult, ostream, req, oldBody);
                                        else
                                                copy(file, renderResult, writer, req, oldBody);
-                               if (file!=null) getService().updateAccounting(owner, new Date(), contentLength);
+                               if (file!=null) updateAccounting(owner, new Date(), contentLength);
                        } catch (ObjectNotFoundException e) {
                                resp.sendError(HttpServletResponse.SC_NOT_FOUND);
                                return;
@@ -446,7 +553,7 @@ public class FilesHandler extends RequestHandler {
                        } catch (RpcException e) {
                                resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                                return;
-                       }
+                       }
                }
        } else {
                if (ranges == null || ranges.isEmpty())
@@ -484,7 +591,7 @@ public class FilesHandler extends RequestHandler {
                                                        copy(file, ostream, range, req, oldBody);
                                                else
                                                        copy(file, writer, range, req, oldBody);
-                                       getService().updateAccounting(owner, new Date(), contentLength);
+                                       updateAccounting(owner, new Date(), contentLength);
                        } catch (ObjectNotFoundException e) {
                                resp.sendError(HttpServletResponse.SC_NOT_FOUND);
                                return;
@@ -509,7 +616,7 @@ public class FilesHandler extends RequestHandler {
                                                        copy(file, ostream, ranges.iterator(), contentType, req, oldBody);
                                                else
                                                        copy(file, writer, ranges.iterator(), contentType, req, oldBody);
-                                       getService().updateAccounting(owner, new Date(), contentLength);
+                                       updateAccounting(owner, new Date(), contentLength);
                        } catch (ObjectNotFoundException e) {
                                resp.sendError(HttpServletResponse.SC_NOT_FOUND);
                                return;
@@ -526,6 +633,33 @@ public class FilesHandler extends RequestHandler {
     }
 
        /**
+        * Handles an authentication failure. If no Authorization or Date request
+        * parameters and no Authorization, Date or X-GSS-Date headers were present,
+        * this is a browser request, so redirect to login and then let the user get
+        * back to the file. Otherwise it's a bogus client request and Forbidden is
+        * returned.
+        */
+       private void handleAuthFailure(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+               if (req.getParameter(AUTHORIZATION_PARAMETER) == null &&
+                               req.getParameter(DATE_PARAMETER) == null &&
+                               req.getHeader(AUTHORIZATION_HEADER) == null &&
+                               req.getDateHeader(DATE_HEADER) == -1 &&
+                               req.getDateHeader(GSS_DATE_HEADER) == -1)
+                       resp.sendRedirect(getConfiguration().getString("loginUrl") +
+                                       "?next=" + req.getRequestURL().toString());
+               else
+                       resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+       }
+
+       /**
+        * Return the filename of the specified file properly formatted for
+        * including in the Content-Disposition header.
+        */
+       private String getDispositionFilename(FileHeaderDTO file) throws UnsupportedEncodingException {
+               return URLEncoder.encode(file.getName(),"UTF-8").replaceAll("\\+", "%20");
+       }
+
+       /**
         * Determines whether the user agent needs the Content-Disposition
         * header to be set, in order to properly download a file.
         *
@@ -611,6 +745,10 @@ public class FilesHandler extends RequestHandler {
                }
 
        String newName = req.getParameter(NEW_FOLDER_PARAMETER);
+       if (!isValidResourceName(newName)) {
+               resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+               return;
+       }
        boolean hasUpdateParam = req.getParameterMap().containsKey(RESOURCE_UPDATE_PARAMETER);
        boolean hasTrashParam = req.getParameterMap().containsKey(RESOURCE_TRASH_PARAMETER);
        boolean hasRestoreParam = req.getParameterMap().containsKey(RESOURCE_RESTORE_PARAMETER);
@@ -647,7 +785,7 @@ public class FilesHandler extends RequestHandler {
         * @throws IOException if an I/O error occurs
         */
        private void restoreVersion(HttpServletRequest req, HttpServletResponse resp, String path, String version) throws IOException {
-               User user = getUser(req);
+               final User user = getUser(req);
                User owner = getOwner(req);
                Object resource = null;
                try {
@@ -665,9 +803,16 @@ public class FilesHandler extends RequestHandler {
                }
 
                try {
-                       FileHeaderDTO file = (FileHeaderDTO) resource;
-                       int oldVersion = Integer.parseInt(version);
-                       getService().restoreVersion(user.getId(), file.getId(), oldVersion);
+                       final FileHeaderDTO file = (FileHeaderDTO) resource;
+                       final int oldVersion = Integer.parseInt(version);
+
+                       new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                               @Override
+                               public Void call() throws Exception {
+                                       getService().restoreVersion(user.getId(), file.getId(), oldVersion);
+                                       return null;
+                               }
+                       });
                } catch (InsufficientPermissionsException e) {
                        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
                } catch (ObjectNotFoundException e) {
@@ -680,6 +825,8 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE, e.getMessage());
                } catch (NumberFormatException e) {
                        resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
                }
        }
 
@@ -722,7 +869,6 @@ public class FilesHandler extends RequestHandler {
                        return;
                }
 
-        FolderDTO folder = null;
        Object parent;
        String parentPath = null;
                try {
@@ -739,8 +885,8 @@ public class FilesHandler extends RequestHandler {
                response.sendError(HttpServletResponse.SC_CONFLICT);
                return;
        }
-               folder = (FolderDTO) parent;
-       String fileName = getLastElement(path);
+       final FolderDTO folder = (FolderDTO) parent;
+       final String fileName = getLastElement(path);
 
                FileItemIterator iter;
                File uploadedFile = null;
@@ -822,7 +968,7 @@ public class FilesHandler extends RequestHandler {
 
                                        progressListener.setUserId(user.getId());
                                        progressListener.setFilename(fileName);
-                                       String contentType = item.getContentType();
+                                       final String contentType = item.getContentType();
 
                                        try {
                                                uploadedFile = getService().uploadFile(stream, user.getId());
@@ -830,11 +976,24 @@ public class FilesHandler extends RequestHandler {
                                                throw new GSSIOException(ex, false);
                                        }
                                        FileHeaderDTO fileDTO = null;
+                                       final File upf = uploadedFile;
+                                       final FileHeaderDTO f = file;
+                                       final User u = user;
                                        if (file == null)
-                                               fileDTO = getService().createFile(user.getId(), folder.getId(), fileName, contentType, uploadedFile.getCanonicalFile().length(), uploadedFile.getAbsolutePath());
+                                               fileDTO = new TransactionHelper<FileHeaderDTO>().tryExecute(new Callable<FileHeaderDTO>() {
+                                                       @Override
+                                                       public FileHeaderDTO call() throws Exception {
+                                                               return getService().createFile(u.getId(), folder.getId(), fileName, contentType, upf.getCanonicalFile().length(), upf.getAbsolutePath());
+                                                       }
+                                               });
                                        else
-                                               fileDTO = getService().updateFileContents(user.getId(), file.getId(), contentType, uploadedFile.getCanonicalFile().length(), uploadedFile.getAbsolutePath());
-                                       getService().updateAccounting(owner, new Date(), fileDTO.getFileSize());
+                                               fileDTO = new TransactionHelper<FileHeaderDTO>().tryExecute(new Callable<FileHeaderDTO>() {
+                                                       @Override
+                                                       public FileHeaderDTO call() throws Exception {
+                                                               return getService().updateFileContents(u.getId(), f.getId(), contentType, upf.getCanonicalFile().length(), upf.getAbsolutePath());
+                                                       }
+                                               });
+                                       updateAccounting(owner, new Date(), fileDTO.getFileSize());
                                        getService().removeFileUploadProgress(user.getId(), fileName);
                                }
                        }
@@ -888,44 +1047,15 @@ public class FilesHandler extends RequestHandler {
                        String error = "An error occurred while communicating with the service";
                        logger.error(error, e);
                        response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, error);
+               } catch (Exception e) {
+                       if (uploadedFile != null && uploadedFile.exists())
+                               uploadedFile.delete();
+                       String error = "An internal server error occurred";
+                       logger.error(error, e);
+                       response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, error);
                }
        }
 
-       private String getBackupFilename(FileHeaderDTO file, String filename){
-               List<FileHeaderDTO> deletedFiles = new ArrayList<FileHeaderDTO>();
-               try{
-                       deletedFiles = getService().getDeletedFiles(file.getOwner().getId());
-               }
-               catch(ObjectNotFoundException e){
-
-               } catch (RpcException e) {
-
-               }
-               List<FileHeaderDTO> filesInSameFolder = new ArrayList<FileHeaderDTO>();
-               for(FileHeaderDTO deleted : deletedFiles)
-                       if(deleted.getFolder().getId().equals(file.getFolder().getId()))
-                               filesInSameFolder.add(deleted);
-               int i=1;
-               String filenameToCheck = filename;
-               for(FileHeaderDTO same : filesInSameFolder)
-                       if(same.getName().startsWith(filename)){
-                               String toCheck=same.getName().substring(filename.length(),same.getName().length());
-                               if(toCheck.startsWith(" ")){
-                                       int test =-1;
-                                       try{
-                                               test = Integer.valueOf(toCheck.replace(" ",""));
-                                       }
-                                       catch(NumberFormatException e){
-                                               //do nothing since string is not a number
-                                       }
-                                       if(test>=i)
-                                               i = test+1;
-                               }
-                       }
-
-               return filename+" "+i;
-       }
-
        /**
         * Move the resource in the specified path to the specified destination.
         *
@@ -936,7 +1066,7 @@ public class FilesHandler extends RequestHandler {
         * @throws IOException if an input/output error occurs
         */
        private void moveResource(HttpServletRequest req, HttpServletResponse resp, String path, String moveTo) throws IOException {
-               User user = getUser(req);
+               final User user = getUser(req);
                User owner = getOwner(req);
                Object resource = null;
                try {
@@ -972,12 +1102,27 @@ public class FilesHandler extends RequestHandler {
                }
 
                try {
+                       final User dOwner = destOwner;
+                       final String dest = destination;
                        if (resource instanceof FolderDTO) {
-                               FolderDTO folder = (FolderDTO) resource;
-                               getService().moveFolderToPath(user.getId(), destOwner.getId(), folder.getId(), destination);
+                               final FolderDTO folder = (FolderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().moveFolderToPath(user.getId(), dOwner.getId(), folder.getId(), dest);
+                                               return null;
+                                       }
+                               });
                        } else {
-                               FileHeaderDTO file = (FileHeaderDTO) resource;
-                               getService().moveFileToPath(user.getId(), destOwner.getId(), file.getId(), destination);
+                               final FileHeaderDTO file = (FileHeaderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().moveFileToPath(user.getId(), dOwner.getId(), file.getId(), dest);
+                                               return null;
+                                       }
+                               });
+
                        }
                } catch (InsufficientPermissionsException e) {
                        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
@@ -991,6 +1136,8 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
                } catch (QuotaExceededException e) {
                        resp.sendError(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE, e.getMessage());
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, destination);
                }
        }
 
@@ -1004,7 +1151,7 @@ public class FilesHandler extends RequestHandler {
         * @throws IOException if an input/output error occurs
         */
        private void copyResource(HttpServletRequest req, HttpServletResponse resp, String path, String copyTo) throws IOException {
-               User user = getUser(req);
+               final User user = getUser(req);
                User owner = getOwner(req);
                Object resource = null;
                try {
@@ -1040,12 +1187,26 @@ public class FilesHandler extends RequestHandler {
                }
 
                try {
+                       final User dOwner = destOwner;
+                       final String dest = destination;
                        if (resource instanceof FolderDTO) {
-                               FolderDTO folder = (FolderDTO) resource;
-                               getService().copyFolderStructureToPath(user.getId(), destOwner.getId(), folder.getId(), destination);
+                               final FolderDTO folder = (FolderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().copyFolderStructureToPath(user.getId(), dOwner.getId(), folder.getId(), dest);
+                                               return null;
+                                       }
+                               });
                        } else {
-                               FileHeaderDTO file = (FileHeaderDTO) resource;
-                               getService().copyFileToPath(user.getId(), destOwner.getId(), file.getId(), destination);
+                               final FileHeaderDTO file = (FileHeaderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().copyFileToPath(user.getId(), dOwner.getId(), file.getId(), dest);
+                                               return null;
+                                       }
+                               });
                        }
                } catch (InsufficientPermissionsException e) {
                        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
@@ -1059,6 +1220,8 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
                } catch (QuotaExceededException e) {
                        resp.sendError(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE, e.getMessage());
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, destination);
                }
        }
 
@@ -1131,7 +1294,7 @@ public class FilesHandler extends RequestHandler {
         * @throws IOException if an input/output error occurs
         */
        private void trashResource(HttpServletRequest req, HttpServletResponse resp, String path) throws IOException {
-               User user = getUser(req);
+               final User user = getUser(req);
                User owner = getOwner(req);
                Object resource = null;
                try {
@@ -1146,11 +1309,23 @@ public class FilesHandler extends RequestHandler {
 
                try {
                        if (resource instanceof FolderDTO) {
-                               FolderDTO folder = (FolderDTO) resource;
-                               getService().moveFolderToTrash(user.getId(), folder.getId());
+                               final FolderDTO folder = (FolderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().moveFolderToTrash(user.getId(), folder.getId());
+                                               return null;
+                                       }
+                               });
                        } else {
-                               FileHeaderDTO file = (FileHeaderDTO) resource;
-                               getService().moveFileToTrash(user.getId(), file.getId());
+                               final FileHeaderDTO file = (FileHeaderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().moveFileToTrash(user.getId(), file.getId());
+                                               return null;
+                                       }
+                               });
                        }
                } catch (InsufficientPermissionsException e) {
                        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
@@ -1158,6 +1333,8 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
                } catch (RpcException e) {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
                }
        }
 
@@ -1170,7 +1347,7 @@ public class FilesHandler extends RequestHandler {
         * @throws IOException if an input/output error occurs
         */
        private void restoreResource(HttpServletRequest req, HttpServletResponse resp, String path) throws IOException {
-               User user = getUser(req);
+               final User user = getUser(req);
                User owner = getOwner(req);
                Object resource = null;
                try {
@@ -1185,11 +1362,23 @@ public class FilesHandler extends RequestHandler {
 
                try {
                        if (resource instanceof FolderDTO) {
-                               FolderDTO folder = (FolderDTO) resource;
-                               getService().removeFolderFromTrash(user.getId(), folder.getId());
+                               final FolderDTO folder = (FolderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().removeFolderFromTrash(user.getId(), folder.getId());
+                                               return null;
+                                       }
+                               });
                        } else {
-                               FileHeaderDTO file = (FileHeaderDTO) resource;
-                               getService().removeFileFromTrash(user.getId(), file.getId());
+                               final FileHeaderDTO file = (FileHeaderDTO) resource;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().removeFileFromTrash(user.getId(), file.getId());
+                                               return null;
+                                       }
+                               });
                        }
                } catch (InsufficientPermissionsException e) {
                        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
@@ -1197,6 +1386,8 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
                } catch (RpcException e) {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
                }
        }
 
@@ -1209,9 +1400,10 @@ public class FilesHandler extends RequestHandler {
         * @throws IOException if an input/output error occurs
         */
        private void updateResource(HttpServletRequest req, HttpServletResponse resp, String path) throws IOException {
-               User user = getUser(req);
+               final User user = getUser(req);
                User owner = getOwner(req);
                Object resource = null;
+
                try {
                        resource = getService().getResourceAtPath(owner.getId(), path, false);
                } catch (ObjectNotFoundException e) {
@@ -1221,49 +1413,56 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
                        return;
                }
-               //use utf-8 encoding for reading request
-               BufferedReader reader = new BufferedReader(new InputStreamReader(req.getInputStream(),"UTF-8"));
                StringBuffer input = new StringBuffer();
-               String line = null;
                JSONObject json = null;
-               while ((line = reader.readLine()) != null)
-                       input.append(line);
-               reader.close();
+               if (req.getContentType() != null && req.getContentType().startsWith("application/x-www-form-urlencoded"))
+                       input.append(req.getParameter(RESOURCE_UPDATE_PARAMETER));
+               else {
+                       // Assume application/json
+                       BufferedReader reader = new BufferedReader(new InputStreamReader(req.getInputStream(),"UTF-8"));
+                       String line = null;
+                       while ((line = reader.readLine()) != null)
+                               input.append(line);
+                       reader.close();
+               }
                try {
                        json = new JSONObject(input.toString());
                        if (logger.isDebugEnabled())
                                logger.debug("JSON update: " + json);
                        if (resource instanceof FolderDTO) {
-                               FolderDTO folder = (FolderDTO) resource;
+                               final FolderDTO folder = (FolderDTO) resource;
                                String name = json.optString("name");
-                               if (!name.isEmpty()){
-                                       try {
-                                               name = URLDecoder.decode(name, "UTF-8");
-                                       } catch (IllegalArgumentException e) {
-                                               resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
-                                               return;
-                                       }
-                                       getService().modifyFolder(user.getId(), folder.getId(), name);
-                                       FolderDTO folderUpdated = getService().getFolder(user.getId(), folder.getId());
-                                       String parentUrl =URLDecoder.decode(getContextPath(req, true),"UTF-8");
-                                       String fpath = URLDecoder.decode(req.getPathInfo(), "UTF-8");
-                                       parentUrl = parentUrl.replaceAll(fpath, "");
-                                       if(!parentUrl.endsWith("/"))
-                                               parentUrl = parentUrl+"/";
-                                       parentUrl = parentUrl+folderUpdated.getOwner().getUsername()+PATH_FILES+folderUpdated.getPath();
-                                       resp.getWriter().println(parentUrl);
-                               }
-
                                JSONArray permissions = json.optJSONArray("permissions");
-                               if (permissions != null) {
-                                       Set<PermissionDTO> perms = parsePermissions(user, permissions);
-                                       getService().setFolderPermissions(user.getId(), folder.getId(), perms);
+                               Set<PermissionDTO> perms = null;
+                               if (permissions != null)
+                                       perms = parsePermissions(user, permissions);
+                               Boolean readForAll = null;
+                               if (json.opt("readForAll") != null)
+                                       readForAll = json.optBoolean("readForAll");
+                               if (!name.isEmpty() || permissions != null || readForAll != null) {
+                                       final String fName = name.isEmpty()? null: name;
+                                       final Boolean freadForAll =  readForAll;
+                                       final Set<PermissionDTO> fPerms = perms;
+                                       FolderDTO folderUpdated = new TransactionHelper<FolderDTO>().tryExecute(new Callable<FolderDTO>() {
+                                               @Override
+                                               public FolderDTO call() throws Exception {
+                                                       return getService().updateFolder(user.getId(), folder.getId(), fName, freadForAll, fPerms);
+                                               }
+
+                                       });
+                                       resp.getWriter().println(getNewUrl(req, folderUpdated));
                                }
                        } else {
-                               FileHeaderDTO file = (FileHeaderDTO) resource;
+                               final FileHeaderDTO file = (FileHeaderDTO) resource;
                                String name = null;
                                if (json.opt("name") != null)
                                        name = json.optString("name");
+                               Long modificationDate = null;
+                               if (json.optLong("modificationDate") != 0)
+                                       modificationDate = json.optLong("modificationDate");
+                               Boolean versioned = null;
+                               if (json.opt("versioned") != null)
+                                       versioned = json.getBoolean("versioned");
                                JSONArray tagset = json.optJSONArray("tags");
                                String tags = null;
                                StringBuffer t = new StringBuffer();
@@ -1272,9 +1471,6 @@ public class FilesHandler extends RequestHandler {
                                                t.append(tagset.getString(i) + ',');
                                        tags = t.toString();
                                }
-                               if (name != null || tags != null)
-                                       getService().updateFile(user.getId(), file.getId(), name, tags);
-
                                JSONArray permissions = json.optJSONArray("permissions");
                                Set<PermissionDTO> perms = null;
                                if (permissions != null)
@@ -1282,12 +1478,25 @@ public class FilesHandler extends RequestHandler {
                                Boolean readForAll = null;
                                if (json.opt("readForAll") != null)
                                        readForAll = json.optBoolean("readForAll");
-                               if (perms != null || readForAll != null)
-                                       getService().setFilePermissions(user.getId(), file.getId(), readForAll, perms);
-
-                               if (json.opt("versioned") != null) {
-                                       boolean versioned = json.getBoolean("versioned");
-                                       getService().toggleFileVersioning(user.getId(), file.getId(), versioned);
+                               if (name != null || tags != null || modificationDate != null
+                                                       || versioned != null || perms != null
+                                                       || readForAll != null) {
+                                       final String fName = name;
+                                       final String fTags = tags;
+                                       final Date mDate = modificationDate != null? new Date(modificationDate): null;
+                                       final Boolean fVersioned = versioned;
+                                       final Boolean fReadForAll = readForAll;
+                                       final Set<PermissionDTO> fPerms = perms;
+                                       new TransactionHelper<Object>().tryExecute(new Callable<Object>() {
+                                               @Override
+                                               public Object call() throws Exception {
+                                                       getService().updateFile(user.getId(), file.getId(),
+                                                                               fName, fTags, mDate, fVersioned,
+                                                                               fReadForAll, fPerms);
+                                                       return null;
+                                               }
+
+                                       });
                                }
                        }
                } catch (JSONException e) {
@@ -1300,10 +1509,27 @@ public class FilesHandler extends RequestHandler {
                        resp.sendError(HttpServletResponse.SC_CONFLICT, e.getMessage());
                } catch (RpcException e) {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+                       return;
                }
        }
 
        /**
+        * Returns the new URL of an updated folder.
+        */
+       private String getNewUrl(HttpServletRequest req, FolderDTO folder) throws UnsupportedEncodingException {
+               String parentUrl = URLDecoder.decode(getContextPath(req, true),"UTF-8");
+               String fpath = URLDecoder.decode(getRelativePath(req), "UTF-8");
+               if (parentUrl.indexOf(fpath) != -1)
+                       parentUrl = parentUrl.substring(0, parentUrl.indexOf(fpath));
+               if(!parentUrl.endsWith("/"))
+                       parentUrl = parentUrl+"/";
+               parentUrl = parentUrl+folder.getOwner().getUsername()+PATH_FILES+folder.getPath();
+               return parentUrl;
+       }
+
+       /**
         * Helper method to convert a JSON array of permissions into a set of
         * PermissionDTO objects.
         *
@@ -1313,9 +1539,10 @@ public class FilesHandler extends RequestHandler {
         * @throws JSONException if there was an error parsing the JSON object
         * @throws RpcException if there was an error communicating with the EJB
         * @throws ObjectNotFoundException if the user could not be found
+        * @throws UnsupportedEncodingException
         */
        private Set<PermissionDTO> parsePermissions(User user, JSONArray permissions)
-                       throws JSONException, RpcException, ObjectNotFoundException {
+                       throws JSONException, RpcException, ObjectNotFoundException, UnsupportedEncodingException {
                if (permissions == null)
                        return null;
                Set<PermissionDTO> perms = new HashSet<PermissionDTO>();
@@ -1332,13 +1559,24 @@ public class FilesHandler extends RequestHandler {
                                        throw new ObjectNotFoundException("User " + permUser + " not found");
                                perm.setUser(u.getDTO());
                        }
+                       // 31/8/2009: Add optional groupUri which takes priority if it exists
+                       String permGroupUri = j.optString("groupUri");
                        String permGroup = j.optString("group");
-                       if (!permGroup.isEmpty()) {
+                       if (!permGroupUri.isEmpty()) {
+                               String[] names = permGroupUri.split("/");
+                               String grp = URLDecoder.decode(names[names.length - 1], "UTF-8");
+                               String usr = URLDecoder.decode(names[names.length - 3], "UTF-8");
+                               User u = getService().findUser(usr);
+                               if (u == null)
+                                       throw new ObjectNotFoundException("User " + permUser + " not found");
+                               GroupDTO g = getService().getGroup(u.getId(), grp);
+                               perm.setGroup(g);
+                       }
+                       else if (!permGroup.isEmpty()) {
                                GroupDTO g = getService().getGroup(user.getId(), permGroup);
                                perm.setGroup(g);
                        }
-                       if (permUser.isEmpty() && permGroup.isEmpty() ||
-                                               permUser.isEmpty() && permGroup.isEmpty())
+                       if (permUser.isEmpty() && permGroupUri.isEmpty() && permGroup.isEmpty())
                                throw new JSONException("A permission must correspond to either a user or a group");
                        perms.add(perm);
                }
@@ -1354,11 +1592,11 @@ public class FilesHandler extends RequestHandler {
         * @param folderName the name of the new folder
         * @throws IOException if an input/output error occurs
         */
-       private void createFolder(HttpServletRequest req, HttpServletResponse resp, String path, String folderName) throws IOException {
+       private void createFolder(HttpServletRequest req, HttpServletResponse resp, String path, final String folderName) throws IOException {
                if (logger.isDebugEnabled())
                        logger.debug("Creating folder " + folderName + " in '" + path);
 
-       User user = getUser(req);
+       final User user = getUser(req);
        User owner = getOwner(req);
         boolean exists = true;
         try {
@@ -1389,9 +1627,15 @@ public class FilesHandler extends RequestHandler {
                }
                try {
                        if (parent instanceof FolderDTO) {
-                               FolderDTO folder = (FolderDTO) parent;
-                               getService().createFolder(user.getId(), folder.getId(), folderName);
-                       String newResource = getContextPath(req, true) + folderName;
+                               final FolderDTO folder = (FolderDTO) parent;
+                               FolderDTO newFolder = new TransactionHelper<FolderDTO>().tryExecute(new Callable<FolderDTO>() {
+                                       @Override
+                                       public FolderDTO call() throws Exception {
+                                               return getService().createFolder(user.getId(), folder.getId(), folderName);
+                                       }
+
+                               });
+                       String newResource = getApiRoot() + newFolder.getURI();
                        resp.setHeader("Location", newResource);
                        resp.setContentType("text/plain");
                    PrintWriter out = resp.getWriter();
@@ -1412,6 +1656,9 @@ public class FilesHandler extends RequestHandler {
                } catch (RpcException e) {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path + folderName);
                        return;
+               } catch (Exception e) {
+               resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
+                       return;
                }
        resp.setStatus(HttpServletResponse.SC_CREATED);
        }
@@ -1501,11 +1748,17 @@ public class FilesHandler extends RequestHandler {
                                throw new GSSIOException(ex, false);
                        }
                FileHeaderDTO fileDTO = null;
+               final File uploadedf = uploadedFile;
+                       final FolderDTO parentf = folder;
+                       final FileHeaderDTO f = file;
             if (exists)
-               fileDTO = getService().updateFileContents(user.getId(), file.getId(), mimeType, uploadedFile.getCanonicalFile().length(), uploadedFile.getAbsolutePath());
-                       else {
-                               final File uploadedf = uploadedFile;
-                               final FolderDTO parentf = folder;
+               fileDTO = new TransactionHelper<FileHeaderDTO>().tryExecute(new Callable<FileHeaderDTO>() {
+                                       @Override
+                                       public FileHeaderDTO call() throws Exception {
+                                               return getService().updateFileContents(user.getId(), f.getId(), mimeType, uploadedf.getCanonicalFile().length(), uploadedf.getAbsolutePath());
+                                       }
+                               });
+                       else
                                fileDTO = new TransactionHelper<FileHeaderDTO>().tryExecute(new Callable<FileHeaderDTO>() {
                                        @Override
                                        public FileHeaderDTO call() throws Exception {
@@ -1513,8 +1766,7 @@ public class FilesHandler extends RequestHandler {
                                        }
 
                                });
-                       }
-            getService().updateAccounting(owner, new Date(), fileDTO.getFileSize());
+            updateAccounting(owner, new Date(), fileDTO.getFileSize());
                        getService().removeFileUploadProgress(user.getId(), fileDTO.getName());
         } catch(ObjectNotFoundException e) {
             result = false;
@@ -1562,7 +1814,7 @@ public class FilesHandler extends RequestHandler {
        if (logger.isDebugEnabled())
                        logger.debug("Deleting resource '" + path);
        path = URLDecoder.decode(path, "UTF-8");
-       User user = getUser(req);
+       final User user = getUser(req);
        User owner = getOwner(req);
        boolean exists = true;
        Object object = null;
@@ -1589,7 +1841,14 @@ public class FilesHandler extends RequestHandler {
 
        if (file != null)
                        try {
-                               getService().deleteFile(user.getId(), file.getId());
+                               final FileHeaderDTO f = file;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().deleteFile(user.getId(), f.getId());
+                                               return null;
+                                       }
+                               });
                } catch (InsufficientPermissionsException e) {
                        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
                                return;
@@ -1601,10 +1860,20 @@ public class FilesHandler extends RequestHandler {
                } catch (RpcException e) {
                        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                        return;
+               } catch (Exception e) {
+                       resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+                       return;
                }
                else if (folder != null)
                        try {
-                       getService().deleteFolder(user.getId(), folder.getId());
+                               final FolderDTO fo = folder;
+                               new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
+                                       @Override
+                                       public Void call() throws Exception {
+                                               getService().deleteFolder(user.getId(), fo.getId());
+                                               return null;
+                                       }
+                               });
                } catch (InsufficientPermissionsException e) {
                        resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
                        return;
@@ -1614,6 +1883,9 @@ public class FilesHandler extends RequestHandler {
                } catch (RpcException e) {
                        resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                        return;
+               } catch (Exception e) {
+                       resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+                       return;
                }
                resp.setStatus(HttpServletResponse.SC_NO_CONTENT);
        return;
@@ -1639,7 +1911,9 @@ public class FilesHandler extends RequestHandler {
                                        put("owner", folder.getOwner().getUsername()).
                                        put("createdBy", folder.getAuditInfo().getCreatedBy().getUsername()).
                                        put("creationDate", folder.getAuditInfo().getCreationDate().getTime()).
-                                       put("deleted", folder.isDeleted());
+                                       put("deleted", folder.isDeleted()).
+                                       put("readForAll", folder.isReadForAll());
+
                        if (folder.getAuditInfo().getModifiedBy() != null)
                                json.put("modifiedBy", folder.getAuditInfo().getModifiedBy().getUsername()).
                                                put("modificationDate", folder.getAuditInfo().getModificationDate().getTime());
@@ -1808,8 +2082,11 @@ public class FilesHandler extends RequestHandler {
                        permission.put("read", p.hasRead()).put("write", p.hasWrite()).put("modifyACL", p.hasModifyACL());
                        if (p.getUser() != null)
                                permission.put("user", p.getUser().getUsername());
-                       if (p.getGroup() != null)
+                       if (p.getGroup() != null) {
+                               GroupDTO group = p.getGroup();
+                               permission.put("groupUri", getApiRoot() + group.getOwner().getUsername() + PATH_GROUPS + "/" + URLEncoder.encode(group.getName(),"UTF-8"));
                                permission.put("group", URLEncoder.encode(p.getGroup().getName(),"UTF-8"));
+                       }
                        perms.put(permission);
                }
                return perms;
@@ -1853,8 +2130,6 @@ public class FilesHandler extends RequestHandler {
 
                private long fileSize = -100;
 
-               private long tenKBRead = -1;
-
                private Long userId;
 
                private String filename;
@@ -1883,6 +2158,7 @@ public class FilesHandler extends RequestHandler {
                        filename = aFilename;
                }
 
+               @Override
                public void update(long bytesRead, long contentLength, int items) {
                        //monitoring per percent of bytes uploaded
                        bytesTransferred = bytesRead;
@@ -1903,4 +2179,184 @@ public class FilesHandler extends RequestHandler {
                                }
                }
        }
+       /**
+        * Return an InputStream to an HTML representation of the contents of this
+        * directory.
+        *
+        * @param contextPath Context path to which our internal paths are relative
+        * @param relativePath the requested relative path to the resource
+        * @param folder the specified directory
+        * @param req the HTTP request
+        * @return an input stream with the rendered contents
+        * @throws IOException
+        * @throws ServletException
+        */
+       private InputStream renderHtml(String contextPath, String relativePath, FolderDTO folder, User user) throws IOException, ServletException {
+               String name = folder.getName();
+               // Prepare a writer to a buffered area
+               ByteArrayOutputStream stream = new ByteArrayOutputStream();
+               OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8");
+               PrintWriter writer = new PrintWriter(osWriter);
+               StringBuffer sb = new StringBuffer();
+               // rewriteUrl(contextPath) is expensive. cache result for later reuse
+               String rewrittenContextPath = rewriteUrl(contextPath);
+               // Render the page header
+               sb.append("<html>\r\n");
+               sb.append("<head>\r\n");
+               sb.append("<title>");
+               sb.append("Index of " + name);
+               sb.append("</title>\r\n");
+               sb.append("<STYLE><!--");
+               sb.append(GSS_CSS);
+               sb.append("--></STYLE> ");
+               sb.append("</head>\r\n");
+               sb.append("<body>");
+               sb.append("<h1>");
+               sb.append("Index of " + name);
+
+               // Render the link to our parent (if required)
+               String folderPath = folder.getPath();
+               int indexFolderPath = relativePath.indexOf(folderPath);
+               String relativePathNoFolderName = null;
+               if(indexFolderPath != 0)
+                       relativePathNoFolderName = relativePath.substring(0, indexFolderPath);
+               else
+                       relativePathNoFolderName = relativePath;
+               String parentDirectory = folderPath;
+               //To-do: further search in encoding folder names with special characters
+               //String rewrittenParentDirectory = rewriteUrl(parentDirectory);
+               if (parentDirectory.endsWith("/"))
+                       parentDirectory = parentDirectory.substring(0, parentDirectory.length() - 1);
+               int slash = parentDirectory.lastIndexOf('/');
+               parentDirectory = parentDirectory.substring(0,slash);
+               if (slash >= 0) {
+                       sb.append(" - <a href=\"");
+                       sb.append(rewrittenContextPath);
+                       sb.append(relativePathNoFolderName);
+                       sb.append(parentDirectory);
+                       if (!parentDirectory.endsWith("/"))
+                               sb.append("/");
+                       sb.append("\">");
+                       sb.append("<b>");
+                       sb.append("Up To ");
+                       if (parentDirectory.equals(""))
+                               parentDirectory = "/";
+                       sb.append(parentDirectory);
+                       sb.append("</b>");
+                       sb.append("</a>");
+               }
+
+               sb.append("</h1>");
+               sb.append("<HR size=\"1\" noshade=\"noshade\">");
+
+               sb.append("<table width=\"100%\" cellspacing=\"0\"" + " cellpadding=\"5\" align=\"center\">\r\n");
+
+               // Render the column headings
+               sb.append("<tr>\r\n");
+               sb.append("<td align=\"left\"><font size=\"+1\"><strong>");
+               sb.append("Name");
+               sb.append("</strong></font></td>\r\n");
+               sb.append("<td align=\"center\"><font size=\"+1\"><strong>");
+               sb.append("Size");
+               sb.append("</strong></font></td>\r\n");
+               sb.append("<td align=\"right\"><font size=\"+1\"><strong>");
+               sb.append("Last modified");
+               sb.append("</strong></font></td>\r\n");
+               sb.append("</tr>");
+               // Render the directory entries within this directory
+               boolean shade = false;
+               Iterator iter = folder.getSubfolders().iterator();
+               while (iter.hasNext()) {
+                       FolderDTO subf = (FolderDTO) iter.next();
+                       String resourceName = subf.getName();
+                       if (resourceName.equalsIgnoreCase("WEB-INF") || resourceName.equalsIgnoreCase("META-INF"))
+                               continue;
+
+                       sb.append("<tr");
+                       if (shade)
+                               sb.append(" bgcolor=\"#eeeeee\"");
+                       sb.append(">\r\n");
+                       shade = !shade;
+
+                       sb.append("<td align=\"left\">&nbsp;&nbsp;\r\n");
+                       sb.append("<a href=\"");
+                       sb.append(rewrittenContextPath);
+                       sb.append(relativePathNoFolderName);
+                       sb.append(folderPath + resourceName);
+                       sb.append("/");
+                       sb.append("\"><tt>");
+                       sb.append(RequestUtil.filter(resourceName));
+                       sb.append("/");
+                       sb.append("</tt></a></td>\r\n");
+
+                       sb.append("<td align=\"right\"><tt>");
+                       sb.append("&nbsp;");
+                       sb.append("</tt></td>\r\n");
+
+                       sb.append("<td align=\"right\"><tt>");
+                       sb.append(getLastModifiedHttp(folder.getAuditInfo()));
+                       sb.append("</tt></td>\r\n");
+
+                       sb.append("</tr>\r\n");
+               }
+               List<FileHeaderDTO> files;
+               try {
+                       files = getService().getFiles(user.getId(), folder.getId(), true);
+               } catch (ObjectNotFoundException e) {
+                       throw new ServletException(e.getMessage());
+               } catch (InsufficientPermissionsException e) {
+                       throw new ServletException(e.getMessage());
+               } catch (RpcException e) {
+                       throw new ServletException(e.getMessage());
+               }
+               for (FileHeaderDTO file : files)
+                       //Display only file resources that are marked as public
+                       if(file.isReadForAll()){
+                               String resourceName = file.getName();
+                               if (resourceName.equalsIgnoreCase("WEB-INF") || resourceName.equalsIgnoreCase("META-INF"))
+                                       continue;
+
+                               sb.append("<tr");
+                               if (shade)
+                                       sb.append(" bgcolor=\"#eeeeee\"");
+                               sb.append(">\r\n");
+                               shade = !shade;
+
+                               sb.append("<td align=\"left\">&nbsp;&nbsp;\r\n");
+                               sb.append("<a href=\"");
+                               sb.append(rewrittenContextPath);
+                               sb.append(relativePath);
+                               if(!relativePath.endsWith("/"))
+                                       sb.append("/");
+                               sb.append(rewriteUrl(resourceName));
+                               sb.append("\"><tt>");
+                               sb.append(RequestUtil.filter(resourceName));
+                               sb.append("</tt></a></td>\r\n");
+
+                               sb.append("<td align=\"right\"><tt>");
+                               sb.append(renderSize(file.getFileSize()));
+                               sb.append("</tt></td>\r\n");
+
+                               sb.append("<td align=\"right\"><tt>");
+                               sb.append(getLastModifiedHttp(file.getAuditInfo()));
+                               sb.append("</tt></td>\r\n");
+
+                               sb.append("</tr>\r\n");
+                       }
+
+               // Render the page footer
+               sb.append("</table>\r\n");
+
+               sb.append("<HR size=\"1\" noshade=\"noshade\">");
+
+               //sb.append("<h3>").append(getServletContext().getServerInfo()).append("</h3>");
+               sb.append("</body>\r\n");
+               sb.append("</html>\r\n");
+
+               // Return an input stream to the underlying bytes
+               writer.write(sb.toString());
+               writer.flush();
+               return new ByteArrayInputStream(stream.toByteArray());
+
+       }
 }
Unnamed repository; edit this file 'description' to name the repository.