sftp-fs

The sftp-fs library provides support for SFTP NIO.2 file systems, allowing SFTP servers to be accessed in a similar way to local file systems.

Creating file systems

If the SFTP file system library is available on the class path, it will register a FileSystemProvider for scheme sftp. This allows you to create SFTP file systems using the newFileSystem methods of class FileSystems. You can use class SFTPEnvironment to help create the environment maps for those methods:

SFTPEnvironment env = new SFTPEnvironment()
        .withUsername(username)
        .withUserInfo(userInfo);
FileSystem fs = FileSystems.newFileSystem(URI.create("sftp://example.org"), env);

Note that, for security reasons, it’s not allowed to pass the credentials as part of the URI when creating a file system. It must be passed through the environment, as shown above.

Providing credentials

There are a few ways to provide credentials. The easiest way is to call withUserInfo on an SFTPEnvironment instance with a UserInfo object to provide the password, and if necessary the passphrase. The sftp-fs library provides class SimpleUserInfo to provide a fixed password and passphrase. Note that any prompt will be answered with “no”. That means that you will most likely also need to set a HostKeyRepository by calling withHostKeyRepository on an SFTPEnvironment instance to verify the host.

If the UserInfo object will only provide a fixed password and do nothing else, you can also call withPassword on the SFTPEnvironment instance instead. This too most likely requires a HostKeyRepository to be set.

Instead of using a password, it’s also possible to use other authentication methods using an IdentityRepository, which can be set by calling withIdentityRepository on an SFTPEnvironment instance. This may require additional dependencies. For example, to use pageant, you will need the following additional dependencies:

<dependency>
  <groupId>com.jcraft</groupId>
  <artifactId>jsch.agentproxy.jsch</artifactId>
  <version>0.0.9</version>
</dependency>
<dependency>
  <groupId>com.jcraft</groupId>
  <artifactId>jsch.agentproxy.pageant</artifactId>
  <version>0.0.9</version>
</dependency>

The following code snippet shows how you can use pageant to authenticate:

SFTPEnvironment env = new SFTPEnvironment()
        .withUsername(username)
        .withIdentityRepository(new RemoteIdentityRepository(new PageantConnector()));
FileSystem fs = FileSystems.newFileSystem(URI.create("sftp://example.org"), env);

Creating paths

After a file system has been created, Paths can be created through the file system itself using its getPath method. As long as the file system is not closed, it’s also possible to use Paths.get. Note that if the file system was created with credentials, the username must be part of the URL. For instance:

// created without credentials
Path path1 = Paths.get(URI.create("sftp://example.org"));
// created with credentials
Path path2 = Paths.get(URI.create("sftp://username@example.org"));

If the username in the URI does not match the username used to create the file system, this will cause a FileSystemNotFoundException to be thrown.

Attributes

File attributes

SFTP file systems fully support read-access to the following attributes:

It’s not possible to set the last access time or creation time, either through one of the file attribute views or through a file system. Attempting to do so will result in an UnsupportedOperationException. All other attributes are supported, although when setting the owner or group the name must be the UID/GID.

File store attributes

When calling getAttribute on a file store, the following attributes are supported:

These values are only supported by SFTP servers that support the statvfs@openssh.com extension. If this extension is not supported, these methods will all return Long.MAX_VALUE.

There is no support for FileStoreAttributeView. Calling getFileStoreAttributeView on a file store will simply return null.

Error handling

Not all SFTP servers support the same set of error codes. Because of this, most methods may not throw the correct exception (NoSuchFileException, AccessDeniedException, etc).

To allow this behaviour to be modified, class SFTPEnvironment has method withFileSystemExceptionFactory that allows you to specify a custom FileSystemExceptionFactory implementation which will be used to create exceptions based on the reply code and string of the command that triggered the error. By default, an instance of class DefaultFileSystemExceptionFactory is used.

Thread safety

The SFTP protocol is fundamentally not thread safe. To overcome this limitation, SFTP file systems maintain multiple connections to SFTP servers. The number of connections determines the number of concurrent operations that can be executed. If all connections are busy, a new operation will block until a connection becomes available. Class SFTPEnvironment has method withClientConnectionCount that allows you to specify the number of connections to use. If no connection count is explicitly set, the default will be 5. It also has method withClientConnectionWaitTimeout that can be used to control how long to wait before a connection is available. The default is 0 which means wait indefinitely.

When a stream or channel is opened for reading or writing, the connection will block because it will wait for the download or upload to finish. This will not occur until the stream or channel is closed. It is therefore advised to close streams and channels as soon as possible.

Connection management

Because SFTP file systems use multiple connections to an SFTP server, it’s possible that one or more of these connections become stale. Class SFTPFileSystemProvider has static method keepAlive that, if given an instance of an SFTP file system, will send a keep-alive signal over each of its idle connections. You should ensure that this method is called on a regular interval.

Limitations

SFTP file systems knows the following limitations:

  • All paths use / as separator. / is not allowed inside file or directory names.
  • File attributes cannot be set when creating files or directories.
  • Symbolic links can be read and traversed, but not created.
  • There is no support for hard links.
  • Files can be marked as executable if the SFTP server indicates it is. That does not mean the file can be executed in the local JVM.
  • SeekableByteChannel is supported because it’s used by Files.createFile. However, these channels do not support seeking specific positions or truncating.
  • FileSystem.getFileStores() will only return a FileStore for the root path, even if the SFTP server actually has several mount points.
  • Although FileSystemProvider.getFileStore(Path) will return a FileStore for the actual Path, its name will always be /, even if the file or directory is located on a different mount point.
  • There is no support for UserPrincipalLookupService.
  • There is no support for WatchService.