When storing (sensitive) user-specific files in webapp, ensure that you store it somewhere in /WEB-INFand access them with a Servletwhich (indirectly) checks the logged in user, otherwise it's accessible for any user/hacker on the world wide web. The advantage is that it's easily accessible programmatically by ServletContext#getResource()or #getRealPath(). The disadvantage is that they will get lost whenever you redeploy the webapp.

在 webapp 中存储（敏感）特定于用户的文件时，请确保将其存储在某个位置/WEB-INF并使用Servlet它（间接）检查登录用户来访问它们，否则万维网上的任何用户/黑客都可以访问它。优点是它可以通过ServletContext#getResource()或 以编程方式轻松访问#getRealPath()。缺点是每当您重新部署 web 应用程序时，它们都会丢失。

You can also store them in the default temporary folder. The advantage is that it is accessible by standard API's like File#createTempFile()or System.getProperty("java.io.tmpdir"). The temporary folder has the disadvantage that OS-controlled folder cleanup is not controllable from Java, so you may risk the stuff getting lost whenever you close the resource but still need it later.

您还可以将它们存储在默认的临时文件夹中。优点是它可以通过标准 API 访问，例如File#createTempFile()或System.getProperty("java.io.tmpdir")。临时文件夹的缺点是操作系统控制的文件夹清理无法通过 Java 进行控制，因此您可能会在关闭资源但稍后仍需要它时冒着丢失内容的风险。

You can also store them in a fixed folder outside the webapp. It has the advantage that the stuff don't get lost whenever you redeploy the webapp. The disadvantage is that you need to create the folder yourself with sufficient OS rights, which may not be applicable in 3rd party hosts.

您还可以将它们存储在 web 应用程序之外的固定文件夹中。它的优点是，无论何时重新部署 webapp，这些东西都不会丢失。缺点是您需要自己创建具有足够操作系统权限的文件夹，这可能不适用于 3rd 方主机。

Cleaning your own temporary resources certainly belongs to the tasks you need to do yourself. I wouldn't consider it as a concern.

清理自己的临时资源当然属于您需要自己完成的任务。我不会认为这是一个问题。

Just outweigh the advantages/disadvantages.

只是超过了优点/缺点。

I believe that temporary files belong in a temporary folder. In your case, you delete the files yourself, but what if there's a bug in the file deletion operation? Or what if there's a server shutdown before the files are deleted? If you write to a temporary folder, there's at least some hope that the files will be cleaned up later (manually or by some process).

我相信临时文件属于临时文件夹。在你的情况下，你自己删除文件，但如果文件删除操作出现错误怎么办？或者如果在删除文件之前服务器关闭怎么办？如果您写入临时文件夹，则至少有一些希望文件稍后会被清除（手动或通过某些过程）。

Even when an application wishes to store persistent data (i.e. not temporary), I think it still shouldn't be stored in the Tomcat directory, because those directories tend to be deleted or overwritten whenever you deploy a new version of your application (or even install a new version of Tomcat).

即使应用程序希望存储持久数据（即不是临时数据），我认为它仍然不应该存储在 Tomcat 目录中，因为每当您部署应用程序的新版本（甚至安装新版本的Tomcat）。

Useful methods:

有用的方法：

• java.io.File.createTempFile
• System.getProperty("java.io.tmpdir")

• java.io.File.createTempFile
• System.getProperty("java.io.tmpdir")

• Storing information within the web application folder does not always work. Some application servers do not expand the deployed WAR file and hence there is no "working directory" for a web application. Some sys admins also prevent web applications file system access (that depends on the security manager policies).
• Temporary files should be used for, well, temporary data. Data which can be reconstructed on demand. Do not use temporary files which ought to be downloaded by users. E.g. when your system thinks it should clean up temporary files or when you restart the application server, the user still wants to download this files although they might be deleted in the mean time.
• The right place to store such data is the database. Your documents are not really temporary in the means of temp files. Use a database to store the documents and use the database as a cache for documents. You can then implement your own cleanup strategy. It also serves as a persistent storage, so you don't have to worry about server restarts. Also, you can have additional meta-data in there, such as last access time or an access counter and easily provide the user with a list of documents he created. If your document processing library requires a java.io.Filefor manipulation, only then store the document from the database into a temp file, start the processing and read it back into the database.

• 在 Web 应用程序文件夹中存储信息并不总是有效。一些应用服务器不扩展部署的 WAR 文件，因此没有用于 Web 应用程序的“工作目录”。一些系统管理员还阻止 Web 应用程序文件系统访问（这取决于安全管理器策略）。
• 临时文件应该用于临时数据。可按需重构的数据。不要使用应该由用户下载的临时文件。例如，当您的系统认为它应该清理临时文件或当您重新启动应用程序服务器时，用户仍然希望下载这些文件，尽管它们可能同时被删除。
• 存储此类数据的正确位置是数据库。您的文档在临时文件中并不是真正的临时文件。使用数据库来存储文档并将数据库用作文档的缓存。然后，您可以实施自己的清理策略。它还可用作持久存储，因此您不必担心服务器重启。此外，您可以在其中添加其他元数据，例如上次访问时间或访问计数器，并轻松为用户提供他创建的文档列表。如果您的文档处理库需要java.io.File进行操作，则只有将数据库中的文档存储到临时文件中，然后开始处理并将其读回数据库。

A web container provides a context attribute that points to a temp directory:

Web 容器提供指向临时目录的上下文属性：

Servlet spec SRV.3.7.1 Temporary Working Directories

Servlet 规范 SRV.3.7.1 临时工作目录

A temporary storage directory is required for each servlet context. Servlet containers must provide a private temporary directory per servlet context, and make it available via the ServletContext.TEMPDIR(javax.servlet.context.tempdir) context attribute. The objects associated with the attribute must be of type java.io.File.

每个 servlet 上下文都需要一个临时存储目录。Servlet 容器必须为每个 servlet 上下文提供一个私有临时目录，并通过ServletContext.TEMPDIR( javax.servlet.context.tempdir) 上下文属性使其可用。与属性关联的对象必须是 java.io.File 类型。

Example :

例子 ：

File appTempDir = getServletContext().getAttribute(ServletContext.TEMPDIR);
File tempFile = File.createTempFile("process1", ".txt", appTempDir);
tempFile.deleteOnExit();
try {
    ...
} finally {
    tempFile.delete();
}