•  20-09-2019
  •  | 
  •  

Question

I have an WebApplication on WAS 6.1 using JAAS already working. Authenticates and authorizes in a orderly manner. But my logout page is not deauthorizing the principal. This application works correctly on JBoss an on Glasfish but not on WAS.

My logout page is just a simple JSP with this content.

<%System.out.println("principal is not null:"+(null != request.getUserPrincipal()));

if (null != request.getSession(false))
request.getSession(false).invalidate();
%><jsp:include page="/index.html" />

Am I missing something? I would preffer not to use any specific API from Webpshere but if it is absolutely needed I will.

Was it helpful?

Solution

To succesfully logout this code snippet is also needed:

try {
        com.ibm.websphere.security.WSSecurityHelper.revokeSSOCookies(request, response);
     } catch(Exception e) {
        // catch all possible exceptions if you want or handle them separately
        out.println("JAASLogoutServlet: logout Exception = " + e.getMessage());
        throw new ServletException(e);
}

OTHER TIPS

IBM also implements a form called ibm_security_logout. I've been using it on websphere 7.0, but it exist in previous version. You can find more details my answer to my question :

How do I logout from Java EE container managed security?

On WebSphere 8.5.5 (maybe in older versions, too) you can set custom property.

Security -> Global Security -> Custom properties

com.ibm.ws.security.web.logoutOnHTTPSessionExpire=true
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top