David Winslow created GEOS-5053:
-----------------------------------
Summary: Denial of service opportunity in REST API using new security system
Key: GEOS-5053
URL: https://jira.codehaus.org/browse/GEOS-5053
Project: GeoServer
Issue Type: Bug
Components: Security
Reporter: David Winslow
Assignee: Andrea Aime
Priority: Critical
After making a REST request with bad credentials on trunk, subsequent requests with correct credentials will fail authentication.
For example, I see this when using the release dataset:
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver -H 'Accept: text/xml'
# 200
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver.json -H 'Accept: text/xml'
# 401
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver -H 'Accept: text/xml'
# 401! Should be 200 again
Restarting GeoServer seems to bring back the user.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira