[seam-issues] [JBoss JIRA] Closed: (JBSEAM-4770) Resteasy - destroy session after request skipped
Marek Novotny (JIRA)
jira-events at lists.jboss.org
Thu Jan 27 17:14:03 EST 2011
[ https://issues.jboss.org/browse/JBSEAM-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marek Novotny closed JBSEAM-4770.
---------------------------------
> Resteasy - destroy session after request skipped
> -------------------------------------------------
>
> Key: JBSEAM-4770
> URL: https://issues.jboss.org/browse/JBSEAM-4770
> Project: Seam
> Issue Type: Bug
> Affects Versions: 2.2.1.CR3
> Reporter: Lars Huber
> Assignee: Jozef Hartinger
> Priority: Blocker
> Labels: resteasy
> Fix For: 2.2.1.Final
>
>
> Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list