Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2226

Servlets should not have mutable instance fields

    XMLWordPrintable

    Details

    • Message:
      Remove this misleading mutable servlet instance fields or make it "static" and/or "final"
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources
    • CERT:
      MSC11-J.
    • FindBugs:
      MTIA_SUSPECT_SERVLET_INSTANCE_FIELD,MSF_MUTABLE_SERVLET_FIELD,MTIA_SUSPECT_STRUTS_INSTANCE_FIELD

      Description

      By contract, a servlet container creates one instance of each servlet and then a dedicated thread is attached to each new incoming HTTP request to process the request. So all threads share the servlet instances and by extension their instance fields. To prevent any misunderstanding and unexpected behavior at runtime, all servlet fields should then be either static and/or final, or simply removed.

      With Struts 1.X, the same constraint exists on org.apache.struts.action.Action.

      Noncompliant Code Example

      public class MyServlet extends HttpServlet {
        private String userName;  //As this field is shared by all users, it's obvious that this piece of information should be managed differently
        ...
      }
      

      or

      public class MyAction extends Action {
        private String userName;  //Same reason
        ...
      }
      

      See

      • CERT, MSC11-J. - Do not let session information leak within a servlet

      Exceptions

      • Fields annotated with @javax.inject.Inject, @javax.ejb.EJB, @org.springframework.beans.factory.annotation.Autowired, @javax.annotation.Resource
      • Fields initialized in init() or init(ServletConfig config) methods

        Attachments

          Issue Links

          1.
          Java RSPEC-2785 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: