Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
In matter of security I wonder if we should stop using setters in internal API. Like in SessionAware interface we use setSession() and each actions must implement this method. Then we have a logic to avoid mapping incoming values to setSession() to permit injecting values into Session.
Instead of setSession() we can use withSession() or applySession() - the same can be applied to any *Aware interface.
Attachments
Issue Links
- links to