Websphere 6.1 JAAS Logout
Question
I have an WebApplication on WAS 6.1 using JAAS already working. Authenticates and authorizes in a orderly manner. But my logout page is not deauthorizing the principal. This application works correctly on JBoss an on Glasfish but not on WAS.
My logout page is just a simple JSP with this content.
<%System.out.println("principal is not null:"+(null != request.getUserPrincipal()));
if (null != request.getSession(false))
request.getSession(false).invalidate();
%><jsp:include page="/index.html" />
Am I missing something? I would preffer not to use any specific API from Webpshere but if it is absolutely needed I will.
Solution
To succesfully logout this code snippet is also needed:
try {
com.ibm.websphere.security.WSSecurityHelper.revokeSSOCookies(request, response);
} catch(Exception e) {
// catch all possible exceptions if you want or handle them separately
out.println("JAASLogoutServlet: logout Exception = " + e.getMessage());
throw new ServletException(e);
}
OTHER TIPS
IBM also implements a form called ibm_security_logout. I've been using it on websphere 7.0, but it exist in previous version. You can find more details my answer to my question :
On WebSphere 8.5.5 (maybe in older versions, too) you can set custom property.
Security -> Global Security -> Custom properties
com.ibm.ws.security.web.logoutOnHTTPSessionExpire=true