Rule Definition
Avoid instance/non final static field in Action Class - Instance and static field should not be used in an Action class to store information related to the state of a particular request. The same instance of an Action class can be shared among multiple simultaneous requests through multi-threading - Instance/static field may however be used to share global resources across requests for the same action. The use of fields within a an Action class creates a security breach as this object is shared among multiple sessions and thus can lead to confidential data leaks

Remediation
Change the design of your Action class implementation if the field is not used to share global resources across requests for the same action. You should use local variables inside your methods, and pass whatever data you need to other methods in the class via parameters. Because local variables and method parameters exist once per *thread* instead of once per *instance*, so there is no problem in using them to store the state for a particular request.

Violation Code Sample

Public class BaseApplicationAction extends Action
{
static int StaticField; // VIOLATION
long Id;                     // VIOLATION

public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception
[...]
}

Fixed Code Sample

Public class BaseApplicationAction extends Action
{
// FIXED
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception
[...]
}

http://struts.apache.org/struts-doc-1.2.7/api/org/apache/struts/action/Action.html