Spring Framework
  1. Spring Framework
  2. SPR-4049

Spring beans automagically exposed as jsp/jstl attributes considered harmful

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.5 RC1
    • Fix Version/s: 2.5 RC2
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      false

      Description

      I don't like the idea of exposing Spring beans as attributes to JSP/JSTL because it violates the design principle that communication between controllers and views should pass through the model object. Accessing directly Spring beans in EL expressions couples the presentation tier to the other tiers in a far less than obvious way.

      I even more dislike the idea of setting the default value of JstlView.exposeContextBeansAsAttributes to true as this encourage this bad practice (see SPR-3848).

      Furthermore this introduces a breaking change in the frequent case when a model attribute has the same name as a Spring bean. For instance in my applications many views and the corresponding command object share the very same name: up to 2.1M4 in the jstl page I used to get the model object, while in 2.5RC1 I get the view!

      Thanks in advance for reconsidering this decision.

        Issue Links

          Activity

          Hide
          Juergen Hoeller added a comment -

          I agree... JstlView should not set "exposeContextBeansAsAttributes" flag to "true" by default. I've also revised attribute access to check explicitly registered request attributes first (in particular model attributes), then check Spring beans (now only if "exposeContextBeansAsAttributes" has been explicitly set to "true").

          This change should be available in the next nightly 2.5 RC2 snapshot.

          Thanks for raising this...

          Juergen

          Show
          Juergen Hoeller added a comment - I agree... JstlView should not set "exposeContextBeansAsAttributes" flag to "true" by default. I've also revised attribute access to check explicitly registered request attributes first (in particular model attributes), then check Spring beans (now only if "exposeContextBeansAsAttributes" has been explicitly set to "true"). This change should be available in the next nightly 2.5 RC2 snapshot. Thanks for raising this... Juergen

            People

            • Assignee:
              Juergen Hoeller
              Reporter:
              Fabio Grassi
              Last updater:
              Trevor Marshall
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                6 years, 24 weeks, 3 days ago