Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: EAP_EWP 5.1.1
Affects Version/s: EAP_EWP 5.1.0
Component/s: Seam
Labels:
None

Affects:

Release Notes
Release Note Text:

Hide
Seam-RESTEasy integration module allowed anemic session requests to remain open when an exception occured during the JAX-RS request invocation. Accessing previously authenticated sessions was possible even if incorrect credentials were passed in a request. The code responsible for invalidating the session is now contained in a Java <code>finally</code> block. This fix prevents anemic session requests from remaining open.

Show
Seam-RESTEasy integration module allowed anemic session requests to remain open when an exception occured during the JAX-RS request invocation. Accessing previously authenticated sessions was possible even if incorrect credentials were passed in a request. The code responsible for invalidating the session is now contained in a Java <code>finally</code> block. This fix prevents anemic session requests from remaining open.
Release Note Status:
Documented as Resolved Issue
Docs QE Status:
VERIFIED

Description

Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug

Attachments

Activity

People

Assignee:: Jozef Hartinger

Reporter:: Jozef Hartinger

Writer:: Jared Morgan (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2011/01/26 5:54 AM

Updated:: 2011/05/06 1:12 AM

Resolved:: 2011/05/06 1:11 AM