Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-5823

Resteasy - destroy session after request skipped

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: EAP_EWP 5.1.0
    • Fix Version/s: EAP_EWP 5.1.1
    • Component/s: Seam
    • Labels:
      None
    • Affects:
      Release Notes
    • Release Notes Text:
      Hide
      Seam-RESTEasy integration module allowed anemic session requests to remain open when an exception occured during the JAX-RS request invocation. Accessing previously authenticated sessions was possible even if incorrect credentials were passed in a request. The code responsible for invalidating the session is now contained in a Java <code>finally</code> block. This fix prevents anemic session requests from remaining open.
      Show
      Seam-RESTEasy integration module allowed anemic session requests to remain open when an exception occured during the JAX-RS request invocation. Accessing previously authenticated sessions was possible even if incorrect credentials were passed in a request. The code responsible for invalidating the session is now contained in a Java <code>finally</code> block. This fix prevents anemic session requests from remaining open.
    • Release Notes Docs Status:
      Documented as Resolved Issue
    • Docs QE Status:
      VERIFIED

      Description

      Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug

        Gliffy Diagrams

          Attachments

            Issue Links

            duplicates

            Bug - A problem which impairs or prevents the functions of the product. JBSEAM-4770 Resteasy - destroy session after request skipped

            • Blocker - An issue (bug, feature, task) that blocks development and/or testing work, production could not run. An upcoming version that is affected by this issue cannot be released until it's addressed.
            • Closed

              Activity

                People

                • Assignee:
                  jharting Jozef Hartinger
                  Reporter:
                  jharting Jozef Hartinger
                  Writer:
                  Jared Morgan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: