I found this nice explanation in spring-mvc JavaDoc for WebUtils.getSessionMutex()
:
In many cases, the HttpSession reference itself is a safe mutex as well, since it will always be the same object reference for the same active logical session. However, this is not guaranteed across different servlet containers; the only 100% safe way is a session mutex.
This method is used as a lock when synchronizeOnSession
flag is set:
Object mutex = WebUtils.getSessionMutex(session);
synchronized (mutex) {
return handleRequestInternal(request, response);
}
If you look at the implementation of getSessionMutex()
, it actually uses some custom session attribute if present (under org.springframework.web.util.WebUtils.MUTEX
key) or HttpSession
instance if not:
Object mutex = session.getAttribute(SESSION_MUTEX_ATTRIBUTE);
if (mutex == null) {
mutex = session;
}
return mutex;
Back to plain servlet spec – to be 100% sure use custom session attribute rather than HttpSession
object itself.