Understanding Spring MVC Model and Session Attributes
Spring MVC Scopes
When I started writing Web applications in Spring MVC, I found the
Spring model and session attributes to be a bit of a mystery –
especially as they relate to the HTTP request and session scopes and
their attributes that I knew well. Was a Spring model element going to
be found in my session or request? If so, how could I control this? In
this post, I hope to demystify how Spring MVC’s model and session work.
There are several ways to add data or objects to Spring’s model.
Data or objects are typically added to Spring’s model via an annotated
method in the controller. In the example below, @ModelAttribute is used
to add an instance of MyCommandBean to the model under the key of
System.out.println("Inside of addStuffToRequestScope");
On an incoming request, any methods annotated with @ModelAttribute
are called before any controller handler method (like
requestHandlingMethod in the example above). These methods add data to a
java.util.Map that is added to the Spring model before the execution of
the handler method. This can be demonstrated by a simple experiment. I
created two JSP pages: index.jsp and nextpage.jsp. A link on
index.jsp page is used to send a request into the application triggering
the requestHandlingMethod() of MyController. Per the code above, the
requestHandlingMethod() returns “nextpage” as the logical name of the
next view which is resolved to nextpage.jsp in this case.
When this little Web site is executed in this fashion, the
System.out.println’s of the controller, show how the @ModelAttribute
method is executed before the handler method. It also shows that the
MyCommandBean was created and added to Spring’s model and was available
in the handler method.
Now, the question is “where is Spring model data stored?” Is it
stored in the standard Java request scope? The answer is – yes…
eventually. As you can tell from the output above, MyCommandBean is in
the model, but not yet in the request object when the handler method
executes. Indeed, Spring does not add the model data to the request as
an attribute until after the execution of the handler method and before
presentation of the next view (in this case the nextpage.jsp).
This can also be demonstrated by printing out the attribute data
stored in the HttpServletRequest in both index.jsp and nextpage.jsp. I
arranged for both of these pages to use a JSP scriptlet (shown below) to
display the HttpServletRequest attributes.
When the application comes up and index.jsp is displayed, you can see that there are no attributes in request scope.
In this case, when the “do something” link is clicked it causes the
MyController’s handler method to execute, which in turn causes the
nextpage.jsp to be displayed. Given the same JSP scriptlet is on the
nextpage.jsp, it too renders what is in the request scope. Lo and
behold, when nextpage.jsp renders, it shows the model MyCommandBean
created in the controller has been added to the HttpServletRequest
scope! The Spring model attribute key of “myRequestObject” has even
been copied and used as the request attribute’s key. So
Spring model data created prior to (or during) the handler method
execution has been copied to the HttpServletRequest before the next view
So now you know how Spring’s model data is managed and how it relates
to regular Http request attribute data. What about Spring’s session
Spring’s @SessionAttributes is used on a controller to designate which model attributes should be stored in the session.
In actually, what @SessionAttributes allows you to do is tell Spring
which of your model attributes will also be copied to HttpSession before
rendering the view. Again, this can be demonstrated with a little
In my index.jsp and nextpage.jsp, I added an additional JSP scriptlet to show the HttpSession attributes.
So now, we should be able to see what is in the session object before,
during, and after Spring MVC has handled one HTTP request when annotated
with @SessionAttributes. The results are shown below. First, as the
index.jsp page is displayed (before the request is sent and handled by
Spring MVC), we see that there is no attribute data in either the
HttpServletRequest or HttpSession.
During the execution of the handler method (requestHandlingMethod),
you see MyCommandBean has been added to the Spring model attributes, but
it is not yet in the HttpServletRequest or HttpSession scope. But
after the handler method has executed and when the nextpage.jsp is
rendered, you can see that the model attribute data (MyCommandBean) has
indeed been copied as an attribute (with the same attribute key) to both
HttpServletRequest and HttpSession.
Controlling Session Attributes
So now you have an appreciation of how Spring model and session
attribute data are added to HttpServletRequest and HttpSession. But now
you may be concerned with how to manage that data in Spring session.
Spring provides a means to remove Spring session attributes, and thereby
also remove it from HttpSession (without having to kill the entire
HttpSession). Simply add a Spring SessionStatus object as a parameter to
a controller handler method. In this method, use the SessionStatus
object to end the Spring session.