By contract, a servlet container creates one instance of each servlet and then a dedicated thread is attached to each new incoming HTTP request to process the request. So all threads share the servlet instances and by extension their instance fields. To prevent any misunderstanding and unexpected behavior at runtime, all servlet fields should then be either ``++static++`` and/or ``++final++``, or simply removed.
With Struts 1.X, the same constraint exists on ``++org.apache.struts.action.Action++``.
== Noncompliant Code Example
----
public class MyServlet extends HttpServlet {
private String userName; //As this field is shared by all users, it's obvious that this piece of information should be managed differently
...
}
----
or
----
public class MyAction extends Action {
private String userName; //Same reason
...
}
----
== Exceptions
* Fields annotated with ``++@javax.inject.Inject++``, ``++@javax.ejb.EJB++``, ``++@org.springframework.beans.factory.annotation.Autowired++``, ``++@javax.annotation.Resource++``
* Fields initialized in ``++init()++`` or ``++init(ServletConfig config)++`` methods
== See
* https://wiki.sei.cmu.edu/confluence/x/2TZGBQ[CERT, MSC11-J.] - Do not let session information leak within a servlet
