Documentation

You are viewing the documentation for the 2.6.x release series. The latest stable release series is 3.0.x.

§Handling file upload

§Uploading files in a form using multipart/form-data

The standard way to upload files in a web application is to use a form with a special multipart/form-data encoding, which lets you mix standard form data with file attachment data.

Note: The HTTP method used to submit the form must be POST (not GET).

Start by writing an HTML form:

@helper.form(action = routes.ScalaFileUploadController.upload, 'enctype -> "multipart/form-data") {
    
    <input type="file" name="picture">
    
    <p>
        <input type="submit">
    </p>
    
}

Add a CSRF token to the form, unless you have the CSRF filter disabled. The CSRF filter checks the multi-part form in the order the fields are listed, so put the CSRF token before the file input field. This improves efficiency and avoids a token-not-found error if the file size exceeds play.filters.csrf.body.bufferSize.

Now define the upload action using a multipartFormData body parser:

def upload = Action(parse.multipartFormData) { request =>
  request.body
    .file("picture")
    .map { picture =>
      // only get the last part of the filename
      // otherwise someone can send a path like ../../home/foo/bar.txt to write to other files on the system
      val filename = Paths.get(picture.filename).getFileName

      picture.ref.moveTo(Paths.get(s"/tmp/picture/$filename"), replace = true)
      Ok("File uploaded")
    }
    .getOrElse {
      Redirect(routes.ScalaFileUploadController.index).flashing("error" -> "Missing file")
    }
}

The ref attribute give you a reference to a TemporaryFile. This is the default way the multipartFormData parser handles file upload.

Note: As always, you can also use the anyContent body parser and retrieve it as request.body.asMultipartFormData.

At last, add a POST router

POST  /          controllers.ScalaFileUploadController.upload()

§Direct file upload

Another way to send files to the server is to use Ajax to upload the file asynchronously in a form. In this case the request body will not have been encoded as multipart/form-data, but will just contain the plain file content.

In this case we can just use a body parser to store the request body content in a file. For this example, let’s use the temporaryFile body parser:

def upload = Action(parse.temporaryFile) { request =>
  request.body.moveTo(Paths.get("/tmp/picture/uploaded"), replace = true)
  Ok("File uploaded")
}

§Writing your own body parser

If you want to handle the file upload directly without buffering it in a temporary file, you can just write your own BodyParser. In this case, you will receive chunks of data that you are free to push anywhere you want.

If you want to use multipart/form-data encoding, you can still use the default multipartFormData parser by providing a FilePartHandler[A] and using a different Sink to accumulate data. For example, you can use a FilePartHandler[File] rather than a TemporaryFile by specifying an Accumulator(fileSink):

type FilePartHandler[A] = FileInfo => Accumulator[ByteString, FilePart[A]]

def handleFilePartAsFile: FilePartHandler[File] = {
  case FileInfo(partName, filename, contentType) =>
    val perms       = java.util.EnumSet.of(OWNER_READ, OWNER_WRITE)
    val attr        = PosixFilePermissions.asFileAttribute(perms)
    val path        = JFiles.createTempFile("multipartBody", "tempFile", attr)
    val file        = path.toFile
    val fileSink    = FileIO.toPath(path)
    val accumulator = Accumulator(fileSink)
    accumulator.map {
      case IOResult(count, status) =>
        FilePart(partName, filename, contentType, file)
    }(ec)
}

def uploadCustom = Action(parse.multipartFormData(handleFilePartAsFile)) { request =>
  val fileOption = request.body.file("name").map {
    case FilePart(key, filename, contentType, file) =>
      file.toPath
  }

  Ok(s"File uploaded: $fileOption")
}

§Cleaning up temporary files

Uploading files uses a TemporaryFile API which relies on storing files in a temporary filesystem, accessible through the ref attribute. All TemporaryFile references come from a TemporaryFileCreator trait, and the implementation can be swapped out as necessary, and there’s now an atomicMoveWithFallback method that uses StandardCopyOption.ATOMIC_MOVE if available.

Uploading files is an inherently dangerous operation, because unbounded file upload can cause the filesystem to fill up – as such, the idea behind TemporaryFile is that it’s only in scope at completion and should be moved out of the temporary file system as soon as possible. Any temporary files that are not moved are deleted.

However, under certain conditions, garbage collection does not occur in a timely fashion. As such, there’s also a play.api.libs.Files.TemporaryFileReaper that can be enabled to delete temporary files on a scheduled basis using the Akka scheduler, distinct from the garbage collection method.

The reaper is disabled by default, and is enabled through application.conf:

play.temporaryFile {
  reaper {
    enabled = true
    initialDelay = "5 minutes"
    interval = "30 seconds"
    olderThan = "30 minutes"
  }
}

The above configuration will delete files that are more than 30 minutes old, using the “olderThan” property. It will start the reaper five minutes after the application starts, and will check the filesystem every 30 seconds thereafter. The reaper is not aware of any existing file uploads, so protracted file uploads may run into the reaper if the system is not carefully configured.

Next: Accessing an SQL database


Found an error in this documentation? The source code for this page can be found here. After reading the documentation guidelines, please feel free to contribute a pull request. Have questions or advice to share? Go to our community forums to start a conversation with the community.