"That means if you inject a UserLogin for two different user sessions during the same lifetime of the application, both will have the same UserLogin instance injected."
Tim Holloway wrote:I have a bigger doubt. DON'T WRITE YOUR OWN SECURITY. Unless you are a full-time professionally-trained security professional, it's about 95% certain that someone can crack your security system. And, based on what I've seen over the years, about an 85% chance that non-technical people will be able to bypass security in 15 minutes or less. That includes systems designed by the in-house "genius".
J2EE/JEE defines a standard container-based security subsystem. In nearly 20 years, I've never heard of it being breached. It's pre-written, pre-debugged, tested by security pros, well-documented, and best of all, it blocks most security attacks before they can attack the web application itself. Consider using it.
Spring also provides a finer-grained security system itself, which I believe actually can work in concert with container security.
So there's no excuse for writing your own security management in most cases.
I'm still in control here. LOOK at this tiny ad!
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your databasehttps://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database