[seam-issues] [JBoss JIRA] Created: (JBSEAM-4770) Resteasy - destroy session after request skipped

Lars Huber (JIRA) Tue, 25 Jan 2011 15:51:59 -0800

Resteasy - destroy session after request skipped 
-------------------------------------------------


                 Key: JBSEAM-4770
                 URL: https://issues.jboss.org/browse/JBSEAM-4770
             Project: Seam
          Issue Type: Bug
    Affects Versions: 2.2.1.CR3
            Reporter: Lars Huber


Resteasy can be configured to destroy the websession right after the request 
(default behaviour). In few circumstances the session can't be destroyed 
anymore. Example is if using basic authentication you can access the previous 
authenticated session even if giving wrong credentials in request. This can end 
up in serious security issues. see 
http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues

[seam-issues] [JBoss JIRA] Created: (JBSEAM-4770) Resteasy - destroy session after request skipped

Reply via email to