Currently I am implement the file upload feature using Spring framework for my web applicaiton. Now I face the security problem.

I have two options:
1) upload file to local server file system. in this case, the other user can easily access the files which belong to other user if he/she know the path. I need to find a way to only allowed user access the files only belong to him.

2) then I have another option. I do not store the file to file system, instead, I only store the file which uploaded by user in database as binary array. But another problem comes, how can I show the file (for example, doc file) on web. I get binary string from database , then create the file object. But how to show the file on web UI part with this file object?

any suggestion?

1) upload file to local server file system.

2) I do not store the file to file system, instead, I only store the file which uploaded by user in database as binary array. But another problem comes, how can I show the file (for example, doc file) on web. I get binary string from database , then create the file object. But how to show the file on web UI part with this file object?

You don't need to create a file object from the binary string. You have to write it to the servlet response's output stream anyway.

Second you can mix both approaches. Store the file in "unpredictable" folders. I used an alphanumeric UUID generator for that. Store this path in the database, not the whole file.

Jörg