[seam-issues] [JBoss JIRA] Created: (JBSEAM-4770) Resteasy - destroy session after request skipped
Lars Huber (JIRA)
jira-events at lists.jboss.org
Tue Jan 25 18:51:49 EST 2011
Resteasy - destroy session after request skipped
-------------------------------------------------
Key: JBSEAM-4770
URL: https://issues.jboss.org/browse/JBSEAM-4770
Project: Seam
Issue Type: Bug
Affects Versions: 2.2.1.CR3
Reporter: Lars Huber
Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list