Details
-
Type:
Bug Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Add a call to "setComplete()" on the SessionStatus object in a "@RequestMapping" method.
-
Highlighting:
-
Default Severity:Blocker
-
Impact:High
-
Likelihood:High
-
Default Quality Profiles:Sonar way
-
Covered Languages:Java
-
Remediation Function:Constant/Issue
-
Constant Cost:15min
-
Analysis Scope:Main Sources
Description
A Spring @Controller that uses @SessionAttributes is designed to handle a stateful / multi-post form. Such @Controller}}s use the specified {{@SessionAttributes to store data on the server between requests. That data should be cleaned up when the session is over, but unless setComplete() is called on the SessionStatus object from a @RequestMapping method, neither Spring nor the JVM will know it's time to do that. Note that the SessionStatus object must be passed to that method as a parameter.
Noncompliant Code Example
@Controller @SessionAttributes("hello") // Noncompliant; this doesn't get cleaned up public class HelloWorld { @RequestMapping("/greet", method = GET) public String greet(String greetee) { return "Hello " + greetee; } }
Compliant Solution
@Controller @SessionAttributes("hello") public class HelloWorld { @RequestMapping("/greet", method = GET) public String greet(String greetee) { return "Hello " + greetee; } @RequestMapping("/goodbye", method = POST) public String goodbye(SessionStatus status) { //... status.setComplete(); } }
Attachments
Issue Links
- is implemented by
-
SONARJAVA-2755 Rule S3753: "@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
-
- Closed
-
