[
https://issues.apache.org/jira/browse/CXF-3390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13005076#comment-13005076
]
Ben Noordhuis commented on CXF-3390:
------------------------------------
Thanks for the quick reply, Sergey.
I wouldn't expect this to work properly with true singletons but this issue
also manifests itself when the resource is thread-local scoped (through a
Spring AOP proxy, couldn't get CXF to wire up request-scoped beans). The
resource is thread-safe, CXF can inject to its heart's desire.
> Injecting request parameters (as opposed to contexts) is thread-unsafe.
Agreed. Is there a reason why the runtime allows this? Shouldn't it complain
loudly?
> Field value from previous request is recycled when field is absent in new
> request
> ---------------------------------------------------------------------------------
>
> Key: CXF-3390
> URL: https://issues.apache.org/jira/browse/CXF-3390
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.4
> Reporter: Ben Noordhuis
> Priority: Critical
>
> This was tested against 2.3.1 and HEAD.
> Consider this class:
> {code}
> @Path("/test")
> public class Test {
> @QueryParam("q") private String q;
> @GET
> public void test() {
> System.err.println(q);
> }
> }
> {code}
> Now consider this test case:
> {noformat}
> $ curl http://localhost:8080/test # prints "null"
> $ curl http://localhost:8080/test?q=foo # prints "foo"
> $ curl http://localhost:8080/test # prints "foo" !
> {noformat}
> This is a serious bug because it leaks information. It's not specific to
> @QueryParam, the other annotations have the same problem.
> I discovered it in a resource that is used for authentication: after logging
> in once, I could log in again without providing a username and password!
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
