Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3481

Using stream results with content-disposition: attachment; filename="whatever" in HTTPS and IE does not work



    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s:
    • Fix Version/s: 3.0
    • Component/s: "New" API, Documentation
    • Labels:


      I have a page which allows the download of files. I implement some complex security around this so I use a stream result from an action to return the resulting file. It works beautifully in Firefox, Chrome, Opera etc but in IE (I'm using version 8 but I think it affects other versions as well) it gives an error - "Internet Explorer cannot download <whatever> from <wherever>. Internet explorer was not able to open this Internet Site. The request is either unavailable or cannot be found. Please try again later."

      This is apparently to do with the Cache-Control: no-cache being incorrectly implemented in IE since version 6 (i.e. all current versions). As I understand it, IE deletes the file before it can be saved.

      The solution in the documentation at http://struts.apache.org/ points to http://struts.apache.org/ which is very out of date (I don't think interceptors work that way any more) and even when adapted to version (my feeble effort below) doesn't work because I can't change the allowCaching parameter at run time (it needs to be true for IE downloads and false for everything else).

      It would be really good to:
      1) Make the allowCaching parameter of the StreamResult class take a stack parameter and OGNL expression (like the other parameters)
      2) Include the workaround for IE misbehaviour in the StreamResult class doExecute method

      public class HTTPRequestCachePrivateInterceptor implements Interceptor
      public void destroy() {}

      public void init() {}

      public String intercept(ActionInvocation invocation) throws Exception
      HttpServletRequest request = (HttpServletRequest)invocation.getInvocationContext().get(ServletActionContext.HTTP_REQUEST);
      HttpServletResponse response = (HttpServletResponse) invocation.getInvocationContext().get(ServletActionContext.HTTP_RESPONSE);
      if (request!=null && response!=null) {
      if (request.isSecure()) {
      String userAgent = request.getHeader("User-Agent");
      if (userAgent!=null) {
      if (userAgent.indexOf("MSIE")>=0)

      { response.setHeader("Cache-Control", "private, no-transform, must-revalidate, max-age=5"); }

      return invocation.invoke();




            • Assignee:
              andyc Andy Clark
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: