Topic
3 replies Latest Post - ‏2012-11-15T14:39:29Z by pwilson
pwilson
pwilson
2 Posts
ACCEPTED ANSWER

Pinned topic Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

‏2012-11-14T21:52:40Z |
Hello,

I've got an application which is using form based authentication to provide security. Things work fine until I attempt to log a user out. Besides invalidating the session via HttpSession.invalidate(), I'd also like to call WSSecurityHelper.revokeSSOCookies() to remove the LTPA cookie. Unfortunately, in Liberty V8.5 Alpha, that method doesn't seem to exist. Without purging the SSO cookie the session resurrects itself and I end up back on the main application page instead of logged out.

Is there an alternative to revokeSSOCookies()? Will future versions of the Liberty Profile provide the full profile implementation of WSSecurityHelper?

Thanks!
  • MichaelThompson
    MichaelThompson
    4 Posts
    ACCEPTED ANSWER

    Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

    ‏2012-11-15T13:49:16Z  in response to pwilson
    Some of the capabilities in WSSecurityHelper have been migrated to com.ibm.websphere.security.web.WebSecurityHelper.

    However, revokeSSOCookies() is not available in Liberty Profile 85 as the capabilities it provides are now available through a Java servlet standard API: javax.servlet.http.HttpServletRequest.logout.

    By invoking javax.servlet.http.HttpServletRequest.logout from within your application, the SSO cookie will be removed from the response, so future requests will require re-authentication.

    See JavaDoc: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html
  • pwilson
    pwilson
    2 Posts
    ACCEPTED ANSWER

    Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

    ‏2012-11-15T14:39:29Z  in response to pwilson
    Thanks very much. I'll check the Java and Liberty docs for more information.