I've got an application which is using form based authentication to provide security. Things work fine until I attempt to log a user out. Besides invalidating the session via HttpSession.invalidate(), I'd also like to call WSSecurityHelper.revokeSSOCookies() to remove the LTPA cookie. Unfortunately, in Liberty V8.5 Alpha, that method doesn't seem to exist. Without purging the SSO cookie the session resurrects itself and I end up back on the main application page instead of logged out.
Is there an alternative to revokeSSOCookies()? Will future versions of the Liberty Profile provide the full profile implementation of WSSecurityHelper?
Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
Pinned topic Purging SSO cookies on the Liberty Profile V8.5.Next Alpha
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
MichaelThompson 06000274WA4 Posts
Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha2012-11-15T13:49:16ZThis is the accepted answer. This is the accepted answer.Some of the capabilities in WSSecurityHelper have been migrated to com.ibm.websphere.security.web.WebSecurityHelper.
However, revokeSSOCookies() is not available in Liberty Profile 85 as the capabilities it provides are now available through a Java servlet standard API: javax.servlet.http.HttpServletRequest.logout.
By invoking javax.servlet.http.HttpServletRequest.logout from within your application, the SSO cookie will be removed from the response, so future requests will require re-authentication.
See JavaDoc: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html
kark 110000716N26 Posts
Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha2012-11-15T14:27:57ZThis is the accepted answer. This is the accepted answer.
- MichaelThompson 06000274WA
•The method revokeSSOCookies(javax.servlet.http.HttpServletRequest req,javax.servlet.http.HttpServletResponse res) is not supported in the Liberty profile. Instead you can use the Servlet 3.0 logout function.
pwilson 120000FYCE2 Posts
Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha2012-11-15T14:39:29ZThis is the accepted answer. This is the accepted answer.Thanks very much. I'll check the Java and Liberty docs for more information.