Spring MVC Singleton Controller - Multiple Download Requests

Question

I'm aware that Spring MVC controllers are Singletons.

So, using the controller's fields to store data can result into security issues.

What by question is, suppose it have a mapping which allows users to download a file -

@RequestMapping(value = "downloadReport", method=RequestMethod.GET)
public void downloadReport(@RequestParam("reportStoreId") String reportStoreId,
            HttpServletResponse response, HttpServletRequest request) {
    // use reportStoreId to fetch a report from file system and pass it to user using PrintWriter, response.getWriter(), etc...
}

so if multiple users request to download files with different IDs at the same time, could it lead to one user getting a file requested by another user ?

Answer 1

If your implementation of downloadReport is Thread Safe, then you do not have to worry about this.

In the situation you describe, multiple threads will be executing downloadReport. If all of the variables used in the execution are on each thread's stack, they won't collide. Here is a simple example to illustrate:

@RequestMapping(value = "downloadReport", method=RequestMethod.GET)
public void downloadReport(@RequestParam("reportStoreId") String reportStoreId,
            HttpServletResponse response, HttpServletRequest request) {
    response.getWriter().print(getReportText(reportStoreId));
}

You would need to implement getReportText to return the text of the named report -- or something similar. As you can see, getReportText returns the text according to its parameter. This parameter is on the thread's call stack and will be different for each request (unless, of course, the two request are for the same file).

Answer 2

The short answer is no.

Not so short answer follows. For each request spring will invoke method of the controller and will pass its own value of id parsed from HTTP request. The stack variable is very different from class field. It's lifecycle is different, it is created when method starts and is destroyed when method finishes. Also it is not accessible by other concurrently running threads so no interference may happen.