[seam-issues] [JBoss JIRA] Assigned: (JBSEAM-4770) Resteasy - destroy session after request skipped
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Tue Jan 25 18:53:49 EST 2011
[ https://issues.jboss.org/browse/JBSEAM-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shane Bryzak reassigned JBSEAM-4770:
------------------------------------
Assignee: Jozef Hartinger
> Resteasy - destroy session after request skipped
> -------------------------------------------------
>
> Key: JBSEAM-4770
> URL: https://issues.jboss.org/browse/JBSEAM-4770
> Project: Seam
> Issue Type: Bug
> Affects Versions: 2.2.1.CR3
> Reporter: Lars Huber
> Assignee: Jozef Hartinger
> Labels: resteasy
>
> Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list