The existing @SessionAttributes is for model attributes to be saved in the HTTP session during a controller workflow. Such attributes are temporarily stored and are to be removed once the controller indicates completion of the workflow. There is a need for convenient access to more permanent session attributes managed globally, outside the controller. Currently it's possible to inject the WebRequest, HttpSession, or to use @Value with an EL expression.
A dedicated @SessionAttribute parameter annotation with a required flag would look up and cast the session attribute. The session attribute name will default to the parameter type name since unlike a model attribute, a session attribute could be a simple type. A similar @RequestAttribute would do the same for access to request attributes.
Instead of different annotations (@SessionAttribute, @RequestAttribute) I would prefer a single annotation (e.g. @RequestAttribute) with a "scope" element (with value "request", "session", "globalSession" or "singleton").
Thanks for the comment. I think "application" might be a better name for ServletContext attributes. That said for such attributes it would also be natural to implement ServletContextAware and pick them up on startup (or later) hence modeling global attributes as class fields request-specific attributes as controller method arguments. The added advantage is that @RequestAttribute and @SessionAttribute provide extra convenience and readability.