[ https://issues.jboss.org/browse/JBSEAM-4775?page=com.atlassian.jira.plugi... ] Lars Huber commented on JBSEAM-4775: ------------------------------------ only session.isNew() is not enough. In cases of AuthenticationFilter (see below) for these resteasy services and wrong or missing credentials will never destroy the session. You must know if session must be destroyed right after failing AuthenticationFilter or at least on next call of ResteasyResourceAdapter. This is the case if the session was created for such a resteasy call. <resteasy:application resource-path-prefix="/restv1" destroy-session-after-request="true"/> <web:authentication-filter url-pattern="/seam/resource/restv1/*" auth-type="basic" /> -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/JBSEAM-4775?page=com.atlassian.jira.plugi... ] Jozef Hartinger resolved JBSEAM-4775. ------------------------------------- Resolution: Done Let's split these two problems apart. Let's fix undesired invalidation of intentionally long-running sessions (JSF) in this issue and track the issue with authentication mechanisms in JBSEAM-4779. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/JBSEAM-4775?page=com.atlassian.jira.plugi... ] Jozef Hartinger closed JBSEAM-4775. ----------------------------------- -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira