[ https://jira.jboss.org/jira/browse/JBSEAM-3986?page=com.atlassian.jira.pl... ] Shawn Gunsolley updated JBSEAM-3986: ------------------------------------ Description: This request is for a compile warning when an EJB has member variables with Bijection or Factory methods. The issue can cause a problem where users were passed incorrect information via stateless beans. The following is an example: @Stateless @Name("accountStuff") public class AccountStuffBean { @In(create=true) @Out private User user; @Factory("user") public void createUser(){ //error occurs in User B } } @Name("user") @Scope(SESSION) public class User implements Serializable{ } Here is the scenario that this goes south: • User A - request the stateless bean and creates the user information o This creates the local variable in the stateless bean for a user o This stores a reference to that variable in the Session of User A o Finally the stateless bean is returned to the container • Now there is two places the variable is present the JEE container and the User A Session • Due to JEE specs there is no requirement to clear the container beans member variables (And JBoss does not clear this member variable) • User B - hits the same portion of the code and is returned the Stateless bean that User A returned to the container o Seam checks if the variable is in the Session (it is not because this is not User A) o Seam runs the factory and it fails but no exception is thrown the User A variable is outjected o ***User B is returned User A's variable for user**** This truly is a coding error that is why this is an enhancement request. The developer should not assume that the member variable clears in a stateless bean. was: This request is for a compile warning when an EJB has member variables with Bijection or Factory methods. The issue can cause a problem where users were passed incorrect information via stateless beans. The following is an example: @Stateless @Name("accountStuff") public class AccountStuffBean { @In(create=true) @Out private User user; @Factory("user") public void createUser(){ //error occurs in User B } } @Name("user") @Scope(SESSION) public class User implements Serializable{ } Here is the scenario that this goes south: • User A - request the stateless bean and creates the user information o This creates the local variable in the stateless bean for a user o This stores a reference to that variable in the Session of User A o Finally the stateless bean is returned to the container • Now there is two places the variable is present the JEE container and the User A Session • Due to JEE specs there is no requirement to clear the container beans member variables (And JBoss does not clear this member variable) • User B - hits the same portion of the code and is returned the Stateless bean that User A returned to the container o Seam checks if the variable is in the Session (it is not because this is not User A) o Seam checks to see if it should be created (it shouldn't because it exists) o ***User B is returned User A's variable for user**** This truly is a coding error that is why this is an enhancement request. The developer should not assume that the member variable clears in a stateless bean. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira