The second approuch looks like a step in the right direction. It would be nice not to need a session to serve a request.
That's quite impossible for many (internal) reasons. However, as long as you are operating stateless (no reall HttpSession or whatever backing created yet), only temporary instances of are created (and discarded at the end of a request). See Session#isTemporary. Eelco
