[seam-issues] [JBoss JIRA] Assigned: (JBSEAM-4770) Resteasy - destroy session after request skipped

Shane Bryzak (JIRA) Tue, 25 Jan 2011 15:53:57 -0800

     [ 
https://issues.jboss.org/browse/JBSEAM-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Shane Bryzak reassigned JBSEAM-4770:
------------------------------------

    Assignee: Jozef Hartinger


> Resteasy - destroy session after request skipped 
> -------------------------------------------------
>
>                 Key: JBSEAM-4770
>                 URL: https://issues.jboss.org/browse/JBSEAM-4770
>             Project: Seam
>          Issue Type: Bug
>    Affects Versions: 2.2.1.CR3
>            Reporter: Lars Huber
>            Assignee: Jozef Hartinger
>              Labels: resteasy
>
> Resteasy can be configured to destroy the websession right after the request 
> (default behaviour). In few circumstances the session can't be destroyed 
> anymore. Example is if using basic authentication you can access the previous 
> authenticated session even if giving wrong credentials in request. This can 
> end up in serious security issues. see 
> http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues

[seam-issues] [JBoss JIRA] Assigned: (JBSEAM-4770) Resteasy - destroy session after request skipped

Reply via email to