0

Let's say I'm using Spring MVC with Thymeleaf with an HTML page foo that submits text to bar using HTTP POST from a standard HTML form. I have a BarController that looks something like this:

@Controller
@RequestMapping("/bar")
public class BarController {

  @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
  public String postText(@RequestParam("text") String text, final Model model) {
    model.addAttribute("submittedText", text);
    return "/bar";
  }

Then my view Thymeleaf template file does something with $submittedText. For example it could place the text in the HTML:

<p>Submitted text: <span th:text="${submittedText}"></span></p>

Can I use Spring MVC and Thymeleaf in this way as a simple model/view templating system (i.e. a layer on top of manually writing servlets), without any back-end session being created?

I think the answer is "yes", but I wanted to run it by the other Spring MVC and Thymeleaf experts to make sure.

My understanding is that Spring MVC uses Java EE servlet sessions, and a session is not created until request.getSession() or request.getSession(true) is called. If I'm not declaring any session variables, and I'm not declaring any flash attributes, and I'm delegating directly to the view without redirecting, then there is no need for a session and Spring would never attempt to retrieve one. I presume this scenario would be no different than if I simply wrote a servlet from scratch to look at the submitted data and generate HTML by string concatenation.

Furthermore I have used Chrome Developer Tools and don't see any session cookie or URL rewriting taking place with a session ID.

I am keen to know if a session is getting created somewhere I'm not knowing about, or any other gotchas I should watch out for.

halfer
  • 19,824
  • 17
  • 99
  • 186
Garret Wilson
  • 18,219
  • 30
  • 144
  • 272
  • so it doesn't matter to you, when a user gets submitted text of another user?? :):):) (there will be some state stored (in the jee container) ..at least for the time between request and response (session..default timeout is 30 minutes in "web.xml" based.. ;) – xerx593 Mar 26 '23 at 22:15
  • [also applies to your tags](https://stackoverflow.com/q/2255814/592355) – xerx593 Mar 26 '23 at 22:19
  • xerx593 if I write a simple servlet, the data I parse from the input and then write to the output can never be seen by any other requests. But you are saying that the data I store in `model.addAttribute("submittedText", text)` (in the model that was injected during the request) somehow survives the single request and can be viewed by other requests? That sounds outlandish. I'm not saying you're wrong, I'm just saying that I would need to see some official documentation or something to convince me of that. Can you explain further? – Garret Wilson Mar 26 '23 at 22:25
  • "(there will be some state stored (in the jee container) …" Where, pray tell, would this state be stored, if no session is created? And how on earth, even if a session were created, could another session ever see this data? I truly don't understand the mechanism here. Surely you're not implying that there is a single `Model` shared by all requests, are you? If so, I would definitely need to see that documented somewhere. – Garret Wilson Mar 26 '23 at 22:27
  • no, i was (little) kdding ... spring-mvc is also just a "little servlet" in "big container" the details are in your container settings/implementation (in spring-boot e.g. [1](https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html#application-properties.server.server.servlet.session.timeout), [2](https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html#application-properties.web.spring.session.timeout)) – xerx593 Mar 26 '23 at 22:42
  • and if you write a "simple servlet", then it also resides in a "container" ..with a web.xml...and session-timeout of 30m (unless you provide different) ..whatever that means :):) – xerx593 Mar 26 '23 at 22:48
  • " could another session ever see this data" me and many sleep tight regarding this (since tomcat 4)...but we shouldn't ..too :) (but when a "session" comes that far the data of another session is your last sorrow/there are bigger leaks) – xerx593 Mar 26 '23 at 22:53
  • to answer your questions: 1. yea you can use it that way , but 2. not without *any* session (for (approximately) this you have to tune your container) – xerx593 Mar 26 '23 at 23:01
  • @xerx593 you are wrong, nothing is stored in the HTTP Session for this, nor is one created by this code nor explicitly nor implicitly. – M. Deinum Mar 27 '23 at 07:11
  • I have not said "something is stored in the HTTP session" ...i said: a container works for multi users... @M.Deinum, but thank you for your "correction" – xerx593 Mar 27 '23 at 09:16
  • I would go further and say "'HTTP session'...what is that??" ...http is a STATELESS protocol. – xerx593 Mar 27 '23 at 09:19
  • It is in your first comment, it explicitly mentions the session. Nonetheless there is nothing stored as it is all in process. – M. Deinum Mar 27 '23 at 09:54

1 Answers1

0

Theoretically you're right. Unless you explicitly create a session (using request.getSession() or request.getSession(true) or any other way), you are not creating a session, thus the main symptom of a session (which is the JSESSIONID cookie) wouldn't be available.

I say "theoretically" because, although you are not creating a session, other parts of your code might create a session based on what you're trying to do, which to me doesn't look like the case here.

As you're using Spring, if you're also using Spring Security, you can disable the session altogether - if that's your choice - by using/customizing the SecurityFilterChain bean, like this (the following code considers you're using Spring Security 6):

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
    http
        // ...
        .sessionManagement((session) -> session
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        );
    return http.build();
}

Also, take a look at how Spring handles the SessionCreationPolicy and what each option (STATELESS, NEVER...) does.

Examples for older versions are also available at the source, but they aren't deviating that far from this one.

Lucas Silva
  • 13
  • 7
  • 1
    This will only make Spring Security stateless, it doesn't do anything for the rest of your application. – M. Deinum Mar 27 '23 at 06:47