[seam-issues] [JBoss JIRA] Updated: (JBSEAM-4770) Resteasy - destroy session after request skipped
Jozef Hartinger (JIRA)
jira-events at lists.jboss.org
Wed Jan 26 05:51:49 EST 2011
[ https://issues.jboss.org/browse/JBSEAM-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jozef Hartinger updated JBSEAM-4770:
------------------------------------
Fix Version/s: 2.2.1.Final
Priority: Blocker (was: Major)
> Resteasy - destroy session after request skipped
> -------------------------------------------------
>
> Key: JBSEAM-4770
> URL: https://issues.jboss.org/browse/JBSEAM-4770
> Project: Seam
> Issue Type: Bug
> Affects Versions: 2.2.1.CR3
> Reporter: Lars Huber
> Assignee: Jozef Hartinger
> Priority: Blocker
> Labels: resteasy
> Fix For: 2.2.1.Final
>
>
> Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list