[Geoserver-devel] [jira] (GEOS-5053) Denial of service opportunity in REST API using new security system

David Winslow created GEOS-5053:
-----------------------------------

             Summary: Denial of service opportunity in REST API using new security system
                 Key: GEOS-5053
                 URL: https://jira.codehaus.org/browse/GEOS-5053
             Project: GeoServer
          Issue Type: Bug
          Components: Security
            Reporter: David Winslow
            Assignee: Andrea Aime
            Priority: Critical

After making a REST request with bad credentials on trunk, subsequent requests with correct credentials will fail authentication.

For example, I see this when using the release dataset:
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver -H 'Accept: text/xml'
# 200
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver.json -H 'Accept: text/xml'
# 401
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver -H 'Accept: text/xml'
# 401! Should be 200 again

Restarting GeoServer seems to bring back the user.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira