My understanding of @RequestScoped bean is that CDI creates a new instance for each request. We have a @Stateless bean and have @RequestScoped injected into it.
@Stateless
@Local(MyStateLessInterface.class)
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
@Interceptors({PerformanceLog.class, EntryExitLog.class})
public class MyStatelessBean implements MyStateLessInterface{
@Inject
private MyRequestScopedBean requestScopedBean;
}
@RequestScoped
public class MyRequestScopedBean {
private String jasperPath;
public void setJasperPath(String jasperPath) {
this.jasperPath = jasperPath;
}
//Path will be set by MyStatelessBean and a different method in this class uses this.jasperPath to generate a report.
}
Functionally this seems to work fine, but our DevOps reports issue identified by fortify tool with below details :
The class MyRequestScopedBean is a singleton, so the member field jasperPath is shared between users. The result is that one user could see another user's data. Issue Category: Race Condition: Singleton Member Field
Application Name: Conexus-Reporting
Application Version Name: 1.0
Custom Tags:
Issue Detail: Many Servlet developers do not understand that a Servlet is a singleton. There is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads.
A common result of this misunderstanding is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.
I have found some explanation here, but unable to reconcile my understanding. I am trying to understand why fortify is complaining and should we take it seriously.
