Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: EAP_EWP 5.1.0
    • Fix Version/s: EAP_EWP 5.1.1
    • Component/s: Seam
    • Labels:
      None
    • Affects:
      Release Notes
    • Release Notes Text:
      Hide
      Seam-RESTEasy integration module allowed anemic session requests to remain open when an exception occured during the JAX-RS request invocation. Accessing previously authenticated sessions was possible even if incorrect credentials were passed in a request. The code responsible for invalidating the session is now contained in a Java <code>finally</code> block. This fix prevents anemic session requests from remaining open.
      Show
      Seam-RESTEasy integration module allowed anemic session requests to remain open when an exception occured during the JAX-RS request invocation. Accessing previously authenticated sessions was possible even if incorrect credentials were passed in a request. The code responsible for invalidating the session is now contained in a Java <code>finally</code> block. This fix prevents anemic session requests from remaining open.
    • Release Notes Docs Status:
      Documented as Resolved Issue
    • Docs QE Status:
      VERIFIED

      Description

      Resteasy can be configured to destroy the websession right after the request (default behaviour). In few circumstances the session can't be destroyed anymore. Example is if using basic authentication you can access the previous authenticated session even if giving wrong credentials in request. This can end up in serious security issues. see http://seamframework.org/Community/ResteasyDestroySessionAfterRequestSeriousBug

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jharting Jozef Hartinger
                  Reporter:
                  jharting Jozef Hartinger
                  Writer:
                  Jared Morgan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: