Some hints:
Consider contenttype 'image/jpeg' (or another image type)
At least set
response.setStatus(IMxRuntimeResponse.OK);
One request handler can only return one image unless you pass a parameter like
/image?type=thumbnail
read the parameter in the requesthandler.
Edit: Jasper is right about the security this snippet may help:
String cookie = request.getCookie("XASSESSIONID");
if (cookie == null || cookie.isEmpty()) {
// not logged in, ready.
response.setStatus(IMxRuntimeResponse.OK);
return;
}
logger.debug("Css Getting cookie " + cookie);
ISession session = null;
if (cookie != null) {
logger.debug("Cookie found, trying to find active Mendix session");
for (ISession activeSession : Core.getActiveSessions()) {
if (activeSession.getId().toString().equals(cookie)) {
session = activeSession;
logger.debug("Active Mendix session found");
}
}
}
// session not found in list of active sessions.
if (session==null) {
// not logged in, ready.
response.setStatus(IMxRuntimeResponse.OK);
return;
}
Edit 2:
To get the correct image type use apache Tika and this function
public org.apache.tika.mime.MediaType getFileFormat(FileDocument fileDocument) throws IOException {
InputStream is = Core.getFileDocumentContent(getContext(), fileDocument.getMendixObject());
TikaConfig config = TikaConfig.getDefaultConfig();
Detector detector = config.getDetector();
TikaInputStream stream = TikaInputStream.get(is);
Metadata metadata = new Metadata();
metadata.add(Metadata.RESOURCE_NAME_KEY, fileDocument.getName());
org.apache.tika.mime.MediaType mediaType = detector.detect(stream, metadata);
return mediaType;
}
Take care of the fact that apache tika also contains Apache poi and this may cause conflicts with other appstore-modules. To be compatible with poi 3.10 (used in mendix excel module AFAIK) use tika 1.6
Please be careful what you are doing with that request handler. The way you have programmed the code right now opens up your application and potentially creates a huge security gap!
Your request handler as written in your question does not require the user to be logged in and needs a GUID as input. A GUID is a sequential nr, so by enabling this anybody could just call your request handler with a nr and keep increasing it. Your Java would just return all the documents that are in your system.
To resolve this you can do two things. Require a session and use the user context to only retrieve the data he has access too.
The RequestHandler has a function: this.getSessionFromRequest() which can give you the session from the user that is logged in. Using that session you can then create a context to retrieve the FileDocuments. So that would be:
IContext context = this.getSessionFromRequest().createContext();
IMendixObject image = Core.retrieveXPathQuery(context, "//System.FileDocument[id='" + imgGUID + "']").get(0);
Or alternatively if you don't want to require the user to login create a separate entity for PublicFileDocuments and query on that entity only. That way you explicitly control what is being published (or add a boolean or enum or something on the entity to limit what is available).
You want to make sure that a hacker can't get access to exports or any other confidential information.
Specific to your question, I would recommend two things.
As Chris mentions add the Response code 200-OK through using: response.setStatus(IMxRuntimeResponse.OK);
Do not close the outputstream. That closes(ends) the response before it reaches the browser. The outputstream is closed when the connection with the browser closes.