1.主要问题在于你的setServlet(ActionServlet actionServlet)这个方法,这其实是一个初始化工作,试验在BaseAction的构造方法中首先实现,这样表示有前有后,可能不会报高危错误。
在构造函数中无法实现.因为wac的初始化需要用到actionServlet参数.在构造函数中应该无法取到ActionServlet吧?
2.实在不行,做一个懒加载的方法,在这个方法中,检查一下wac是否为空,如果为,就进行初始化,不为空,就直接返回wac值。
按照您的意思我修改代码如下:可是仍然有高危错误.
public class BaseAction extends Action {
private WebApplicationContext wac;
protected ServletContext context;
public void setServlet(ActionServlet actionServlet){
super.setServlet(actionServlet);
if(wac==null){
context = actionServlet.getServletContext();
wac = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
}
}
protected Object getBean(String beanName) {
return wac.getBean(beanName);
}
}
错误报告如下:
ABSTRACT
Servlet member fields may allow one user to see another user's data.
EXPLANATION
Many Servlet developers do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads.
A common result of this misunderstanding is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.
Example 1: The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream.
public class GuestBook extends HttpServlet {
String name;
protected void doPost (HttpServletRequest req,
HttpServletResponse res) {
name = req.getParameter("name");
...
out.println(name + ", thanks for visiting!");
}
}
While this code will work perfectly in a single-user environment, if two users access the Servlet at approximately the same time, it is possible for the two request handler threads to interleave in the following way:
Thread 1: assign "Dick" to name
Thread 2: assign "Jane" to name
Thread 1: print "Jane, thanks for visiting!"
Thread 2: print "Jane, thanks for visiting!"
Thereby showing the first user the second user's name.
RECOMMENDATIONS
Do not use Servlet member fields for anything but constants. (i.e. make all member fields static final).
Developers are often tempted to use Servlet member fields for user data when they need to transport data from one region of code to another. If this is your aim, consider declaring a separate class and using the Servlet only to "wrap" this new class.
Example 2: The bug in the example above can be corrected in the following way:
public class GuestBook extends HttpServlet {
protected void doPost (HttpServletRequest req,
HttpServletResponse res) {
GBRequestHandler handler = new GBRequestHandler();
handler.handle(req, res);
}
}
public class GBRequestHandler {
String name;
public void handle(HttpServletRequest req,
HttpServletResponse res) {
name = req.getParameter("name");
...
out.println(name + ", thanks for visiting!");
}
}
Alternatively, a Servlet can implement the SingleThreadModel interface, in which case the Servlet container will maintain a pool of Servlet objects and dispatch a different object to process each request. Depending on the container implementation and the needs of the application, using the SingleThreadModel interface may cause significant performance problems.
REFERENCES
[1] The Java Servlet Specification, Sun Microsystems, http://java.sun.com/products/servlet/download.html
INSTANCE ID: 3D9FCE421944A87E40229CF99BAA0E1C
RULE ID: 9818E2BB-8E28-4CBE-88CD-DE8DF5EFF040
SCA CONFIDENCE: 5.0