IBM FileNet Application Engine's Workplace login page does not display after Sign Out

Body

In IBM FileNet Application Engine, when a currently logged in user clicks the Sign Out link, the application displays a "You have been signed out of Workplace, Click to Return to Workplace" message.  Clicking on the "Click to Return to Workplace" link, logs the user in with same user id.  The user is not presented with a login page.  The user must close and restart the browser before the login page will display.  This is the expected behavior when IBM FileNet Application Engine is installed with the Container Managed Authentication (CMA) model.

This is the expected behavior when IBM FileNet Application Engine is installed with the Container Managed Authentication (CMA) model. The IBM FileNet Application Engine installation gives the option to install Workplace in either Application Managed Authentication (AMA) or Container Managed Authentication (CMA).

AMA is a forms based authentication, but the Workplace application performs the redirection of unauthenticated user requests to a log in page, and encodes the credentials supplied to the log in page, in the user's Java™Server Pages (JSP) session. This mode supports only user name and password credentials. The credentials that are collected from the Application Engine  login page are used to programmatically perform a JAAS login. This mode is the current default behavior of Workplace.

With CMA, the application does not control the authentication process. The deployment descriptor for the application specifies the security constraints required to access application pages.  The deployment descriptor specifies the authentication method that should be used. The following standard methods that are defined by the Servlet specification are supported:

Forms-Based Authentication: The container redirects the user to an HTML page, where the user's credentials are collected.

Basic Authentication: The container uses standard HTTP options to direct the user's browser to prompt for user name and password credentials.

HTTPS Client Authentication: This mechanism requires each user to have its own Public Key Certificate (PKC), and requires the use of an HTTPS (SSL) connection between the client and the server.

Perimeter authentication: This option is how most SSO products integrate with a Java EE application server. Client browsers running Workplace are redirected to a proxy server that authenticates the caller, and places a token in an HTTP header for them. When the request reaches the server, the container extracts the credentials and invokes SSO provider software that performs a JAAS login using them. This is known as a perimeter authentication because the actual authentication occurs outside of the container. Clients are already authenticated before their servlet requests arrive at the server. See JAVA-based client authentication and the examples in Single sign-on integrations via JAAS for more information.  Perimeter authentication lets Workplace leverage standard integrations between the application server vendors and the SSO technology vendors.