[
https://issues.jboss.org/browse/JBSEAM-4775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12579799#comment-12579799
]
Lars Huber commented on JBSEAM-4775:
------------------------------------
only session.isNew() is not enough. In cases of AuthenticationFilter (see
below) for these resteasy services and wrong or missing credentials will never
destroy the session. You must know if session must be destroyed right after
failing AuthenticationFilter or at least on next call of
ResteasyResourceAdapter. This is the case if the session was created for such a
resteasy call.
<resteasy:application resource-path-prefix="/restv1"
destroy-session-after-request="true"/>
<web:authentication-filter url-pattern="/seam/resource/restv1/*"
auth-type="basic" />
> Session invalidated on every request if anemic sessions are used
> ----------------------------------------------------------------
>
> Key: JBSEAM-4775
> URL: https://issues.jboss.org/browse/JBSEAM-4775
> Project: Seam
> Issue Type: Bug
> Components: WS
> Affects Versions: 2.2.1.Final
> Reporter: Jozef Hartinger
> Assignee: Jozef Hartinger
> Priority: Critical
>
> http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug#comment148408
> Check if a session isNew() before invalidating it.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues
