Spring component introduces unmanaged state JAVA-S1060

Spring components should not introduced unmanaged state variables (fields not managed by Spring).

Spring components such as @Component, @Controller, @Service, and @Repository are supposed to be singletons by default. This means that no more than one instance of such classes must exist in an application. Furthermore, the state of these classes is managed by the Spring container.

Non-injected properties in such classes could indicate an attempt to manage state. This introduces the risk of exposing data to clients that shouldn't have access to such data. For example, one might accidentally allow User1 to access User2's session if such patterns are followed throughout the source code.

Bad Practice

@Component
public class MyComponent {
    private Service someService;
}

Recommended

Consider injecting these fields manually.

@Component
public class MyComponent {
    @Autowired
    private final Service someService;
}

Alternatively, use constructor injection to inject dependencies.

@Component
public class MyComponent {
    private final Service someService;

    @Autowired
    public MyComponent(Service someService) {
        this.someService = someService;
    }
}

References

• CWE-488 - Exposure of Data Element to Wrong Session
• OWASP Top Ten 2021 - Category A01 - Broken Access Control
• OWASP Top Ten 2021 - Category A04 - Insecure Design
• Spring Blog - Setter vs Construction Injection