21 lines
1.0 KiB
Plaintext
21 lines
1.0 KiB
Plaintext
=== is related to: S2223
|
||
|
||
=== on 25 Nov 2014, 11:00:13 Freddy Mallet wrote:
|
||
\[~ann.campbell.2] If you want I can take care to fully rewrite the rule in something like "Servlet should not have misleading non-static fields"
|
||
|
||
=== on 25 Nov 2014, 12:28:16 Ann Campbell wrote:
|
||
\[~freddy.mallet] the original requester was specific that the rule shouldn't be limited to just ``++Servlet++`` classes, but I'm happy to go along if you feel that would make a better rule.
|
||
|
||
|
||
BTW, he's also asking for an ignoreClasses parameter.
|
||
|
||
=== on 7 Mar 2019, 23:27:30 Victor Matskiv wrote:
|
||
The issue is not aligned with servlet semantics. Specifically:
|
||
|
||
|
||
A servlet can be legitimately initialized from ServletContext using ``++init(ServletContext)++`` method. This makes it impossible to qualify servlet fields as final.
|
||
|
||
|
||
Another suggestion to make servlet fields static introduces rather misleading semantics and contradicts the referenced document: \https://wiki.sei.cmu.edu/confluence/display/java/MSC11-J.+Do+not+let+session+information+leak+within+a+servlet
|
||
|