During a booking-process several @RestControllers are called, each collecting some data from client and the backend. The findings are stored within a process-specific object within the HttpSession.
Currently we keep the session-object encapsulated within the @RestMapping-annotaded method of the controllers. Testing only checks for the correct response from the controller by use of MockMvc.
I would like to change testing to allow for test-driven development. But to do so, I would need to change the code to have a (at least) "protected" access to the session-object.
My question is now, whether I might implement a security issue by this. How do others deal with this problem?