Is using the ModelAndView in this manner "thread-safe"? The UserToken bean passed on the constructor is session-scoped and proxied, so each user should be accessing their own token, right? Or is using the same ModelAndView for all requests overwriting the UserToken each time for every user, thus possibly causing user A to see user B's token?
@Controller
public class ViewController {
private final UserToken userToken;
private final ModelAndView mav;
@Value("${redirect.url}")
String redirectUrl;
@Autowired
public ViewController(UserToken userToken) {
this.userToken = userToken;
this.mav = new ModelAndView();
}
@RequestMapping("/")
public ModelAndView defaultView() {
return getModelAndView("home");
}
@RequestMapping("/entryPoint")
public ModelAndView accessDenied(@RequestParam(required=false) String token) {
userToken.deserialize(token);
mav.addObject("userToken", userToken);
return getModelAndView("redirect:/");
}
/**
* Handle redirect if the userToken is invalid
* @param viewName The view to map
* @return the ModelAndView
*/
private ModelAndView getModelAndView(String viewName) {
if (userToken.isValid()) {
mav.setViewName(viewName);
} else {
mav.setViewName("redirect:" + redirectUrl);
}
return mav;
}
}
Not even sure how to test for thread-safety in this scenario, so any insight would be appreciated (techniques, tools, etc.).
