30 protected static final String STATUS_SUCCESS = "Success";
31 private static final
32 SessionFactory factory = new Configuration().configure().buildSessionFactory();
33 UserHibernateController userHibControl = new UserHibernateController(factory); 34
35 @RequestMapping(value = "user/getUser", method = RequestMethod.GET)
36 @ResponseStatus(value = HttpStatus.OK)
17@Controller
18public class FolderWeb {
19 SessionFactory factory = new Configuration().configure().buildSessionFactory();
20 FolderHibernateController folderHibControl = new FolderHibernateController(factory);21
22 @RequestMapping(value = "folder/getFolder", method = RequestMethod.GET)
23 @ResponseStatus(value = HttpStatus.OK)
16
17@Controller
18public class FolderWeb {
19 SessionFactory factory = new Configuration().configure().buildSessionFactory();20 FolderHibernateController folderHibControl = new FolderHibernateController(factory);
21
22 @RequestMapping(value = "folder/getFolder", method = RequestMethod.GET)
17@Controller
18public class FileWeb {
19 SessionFactory factory = new Configuration().configure().buildSessionFactory();
20 FileHibernateController fileHibControl = new FileHibernateController(factory);21
22 @RequestMapping(value = "file/getFile", method = RequestMethod.GET)
23 @ResponseStatus(value = HttpStatus.OK)
16
17@Controller
18public class FileWeb {
19 SessionFactory factory = new Configuration().configure().buildSessionFactory();20 FileHibernateController fileHibControl = new FileHibernateController(factory);
21
22 @RequestMapping(value = "file/getFile", method = RequestMethod.GET)
20
21@Controller
22public class CourseWeb {
23 SessionFactory factory = new Configuration().configure().buildSessionFactory();24 CourseHibernateController courseHibControl = new CourseHibernateController(factory);
25
26 @RequestMapping(value = "course/getCourse", method = RequestMethod.GET)
21@Controller
22public class CourseWeb {
23 SessionFactory factory = new Configuration().configure().buildSessionFactory();
24 CourseHibernateController courseHibControl = new CourseHibernateController(factory);25
26 @RequestMapping(value = "course/getCourse", method = RequestMethod.GET)
27 @ResponseStatus(value = HttpStatus.OK)
Spring components should not introduced unmanaged state variables (fields not managed by Spring).
Spring components such as @Component
, @Controller
, @Service
, and @Repository
are supposed to be singletons by default.
This means that no more than one instance of such classes must exist in an application. Furthermore, the state of these classes
is managed by the Spring container.
Non-injected properties in such classes could indicate an attempt to manage state. This introduces the risk of exposing data to clients that
shouldn't have access to such data. For example, one might accidentally allow User1
to access User2
's session if such patterns are followed throughout the source code.
Bad Practice
@Component
public class MyComponent {
private Service someService;
}
Recommended
Consider injecting these fields manually.
@Component
public class MyComponent {
@Autowired
private final Service someService;
}
Alternatively, use constructor injection to inject dependencies.
@Component
public class MyComponent {
private final Service someService;
@Autowired
public MyComponent(Service someService) {
this.someService = someService;
}
}
References
- CWE-488 - Exposure of Data Element to Wrong Session
- OWASP Top Ten 2021 - Category A01 - Broken Access Control
- OWASP Top Ten 2021 - Category A04 - Insecure Design
- Spring Blog - Setter vs Construction Injection