Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Beans, Contexts, Java EE integration
Labels:
None

Steps to Reproduce:
Hide

Create a @RequestScoped provider

Return a non-proxyable object from it

@Inject the object into an @ApplicationScoped bean

Call the bean once to initialize the object

Call the bean subsequent times

Watch the object stay the same and incorrect for subsequent calls
Show
Create a @RequestScoped provider Return a non-proxyable object from it @Inject the object into an @ApplicationScoped bean Call the bean once to initialize the object Call the bean subsequent times Watch the object stay the same and incorrect for subsequent calls

Description

CDI allows injection of a non-proxyable object created by a provider into higher level contextes. This can lead to subtle bugs, see the following example, the first username that accesses the service is returned for other users:

@ApplicationScoped
public class ServiceClass {

    @Inject
    @UserName
    private String userName;

}

@RequestScoped
public class UserNameProvider {

    @Inject
    private HttpServletRequest request;

    @Produces
    @UserName
    public String userName() {
        return request.getUserPrincipal().getName();
    }

}

CDI should fail to start when it detects such a situation. Do note that this bug does not require direct injection (Service->userName), it can occur transitively as well (Service->User->userName).

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Frigo Coder (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018/11/29 5:50 AM

Updated:: 2021/05/19 7:20 AM

Resolved:: 2021/05/19 7:20 AM