Details
-
Bug
-
Resolution: Done
-
Blocker
-
EAP_EWP 5.1.0
-
None
-
Release Notes
-
-
Documented as Resolved Issue
-
VERIFIED
Description
Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug