Java logoJava/
JAVA-S1060

Spring component introduces unmanaged stateJAVA-S1060

Critical severityCritical
Security categorySecurity
a01, a04, security, owasp-top-10

Spring components should not introduced unmanaged state variables (fields not managed by Spring).

Spring components such as @Component, @Controller, @Service, and @Repository are supposed to be singletons by default. This means that no more than one instance of such classes must exist in an application. Furthermore, the state of these classes is managed by the Spring container.

Non-injected properties in such classes could indicate an attempt to manage state. This introduces the risk of exposing data to clients that shouldn't have access to such data. For example, one might accidentally allow User1 to access User2's session if such patterns are followed throughout the source code.

Bad Practice

@Component
public class MyComponent {
    private Service someService;
}

Consider injecting these fields manually.

@Component
public class MyComponent {
    @Autowired
    private final Service someService;
}

Alternatively, use constructor injection to inject dependencies.

@Component
public class MyComponent {
    private final Service someService;

    @Autowired
    public MyComponent(Service someService) {
        this.someService = someService;
    }
}

References