JSR-299 specifications states that public field access of non @Dependent scoped beans is not allowed
3.1 - Managed beans:... If a managed bean has a public field, it must have scope @Dependent. If a managed bean with a public field declares any
scope other than @Dependent, the container automatically detects the problem and treats it as a definition error.
I think this is because client proxies used to discover scoped bean instances cannot proxy direct field access but only method access.
That's ok, but I'm wondering if it's correct letting access protected and package-private fields.
I think you cannot proxy these type of access too!
I tried to inject a session scoped bean with package-private field into another bean.
Than I set a value using a setter method (the proxy do it on the correct session scoped instance) and now read the value directly from package-private field (obviously both beans are in the same package).
What I read is not what I set, rather, now what you read is the proxy field!
I think it's a bug.
Correct me if I'm wrong, but IMO the specifications should be updated to disallow direct field access to client proxied beans.
I think the reason is that protected and package-private fields can simplify unit testing (mocking). IMHO the only client proxy responsibility is to delegate all method calls to the current instance (see 5.4. Client proxies) so you should not access its fields directly... although you're right that it's a little bit tricky right now.