Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
4 replies Latest Post - ‏2011-04-20T13:40:50Z by tzhao
tzhao
tzhao
15 Posts
ACCEPTED ANSWER

Pinned topic How to programmatically get LTPA and LTPA V2 cookie name

‏2011-04-18T18:44:29Z |
Since WebSphere v8 allows user to set LTPA and LTPA V2 cookie name (from Security -> Global security -> Single sign-on (SSO)), how can application retrieve the LTPA and LTPA V2 cookie name programmatically? Similarly, how to retrieve the HTTP session cookie name since it is also configurable. The purpose of it is to programmatically cleanup those cookies from the application.

Thanks!
Updated on 2011-04-20T13:40:50Z at 2011-04-20T13:40:50Z by tzhao
  • kark
    kark
    18 Posts
    ACCEPTED ANSWER

    Re: How to programmatically get LTPA and LTPA V2 cookie name

    ‏2011-04-19T15:48:13Z  in response to tzhao
    Hi,

    Irrespective of what cookie names are used (default or customized), you can use the revokeSSOCookies method in WSSecurityHelper class to clean out the LTPA cookies and invalidate the session.

    Here is the link to WSSecurityHelper.
    http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/WSSecurityHelper.html

    --Ajay Reddy
    • tzhao
      tzhao
      15 Posts
      ACCEPTED ANSWER

      Re: How to programmatically get LTPA and LTPA V2 cookie name

      ‏2011-04-19T22:54:26Z  in response to kark
      Hi Ajay,

      Thanks for your help!

      According to the document, revokeSSOCookies(HttpServletRequest, HttpServletResponse) method removes the WebSphere Application Server Single Sign-on (SSO) cookies if SSO is enabled.
      You suggested to "use the revokeSSOCookies method in WSSecurityHelper class to clean out the LTPA cookies and invalidate the session".
      Does invalidating SSO cookie also invalidate the HTTP session? Or does this method also remove the HTTP session cookie?

      Thanks,
      Ting
      • kark
        kark
        18 Posts
        ACCEPTED ANSWER

        Re: How to programmatically get LTPA and LTPA V2 cookie name

        ‏2011-04-20T03:08:49Z  in response to tzhao
        Ting,

        The session is invalidated when you use the form logout (eg adminConsole logout). However, when using the programmatic logout using this API, only the SSO cookies are cleared (as the Javadoc indicates) and the application can invalidate the session using session.invalidate() to invalidate the session. Sorry for the confusion.

        --Ajay
        • tzhao
          tzhao
          15 Posts
          ACCEPTED ANSWER

          Re: How to programmatically get LTPA and LTPA V2 cookie name

          ‏2011-04-20T13:40:50Z  in response to kark
          Hi Ajay,

          Thanks!
          Ting