Aug 16th, 2012, 08:28 AM
Is it secure to get beans directly from HttpSession with getAttribute()?
I have some proxied session-scoped beans that I need to access from HttpSessionListener when the session gets destroyed. As there is no request bound to the Thread, I can't access the session scoped beans the normal way.
Reading around, I found that the beans are currently stored into the session with the beanName, and if it's proxied, then it's prefixed with the String "scopedTarget.". Although, I don't know if this is secure/recommended to get beans this way, as it could change on next releases of Spring.
Currently, one could get those beans with session.getAttribute("beanName") or session.getAttribute("scopedTarget.beanName") when proxied.
So, is it secure/recommend to get the beans this way? Is there a recommended way?
I could also mock the ServletRequest and pass it to the ServletRequestAttributes (as described here). But I believe this is even more heterodox.
Tags for this Thread