Details

    • Steps to Reproduce:
      Hide
      • Create a @RequestScoped provider
      • Return a non-proxyable object from it
      • @Inject the object into an @ApplicationScoped bean
      • Call the bean once to initialize the object
      • Call the bean subsequent times
      • Watch the object stay the same and incorrect for subsequent calls
      Show
      Create a @RequestScoped provider Return a non-proxyable object from it @Inject the object into an @ApplicationScoped bean Call the bean once to initialize the object Call the bean subsequent times Watch the object stay the same and incorrect for subsequent calls

      Description

      CDI allows injection of a non-proxyable object created by a provider into higher level contextes. This can lead to subtle bugs, see the following example, the first username that accesses the service is returned for other users:

      @ApplicationScoped
      public class ServiceClass {
      
          @Inject
          @UserName
          private String userName;
      
      }
      
      @RequestScoped
      public class UserNameProvider {
      
          @Inject
          private HttpServletRequest request;
      
          @Produces
          @UserName
          public String userName() {
              return request.getUserPrincipal().getName();
          }
      
      }
      

      CDI should fail to start when it detects such a situation. Do note that this bug does not require direct injection (Service->userName), it can occur transitively as well (Service->User->userName).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                frigocoder Frigo Coder
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: