IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 3 replies
  • Latest Post - ‏2012-11-15T14:39:29Z by pwilson
pwilson
pwilson
2 Posts

Pinned topic Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

‏2012-11-14T21:52:40Z |
Hello,

I've got an application which is using form based authentication to provide security. Things work fine until I attempt to log a user out. Besides invalidating the session via HttpSession.invalidate(), I'd also like to call WSSecurityHelper.revokeSSOCookies() to remove the LTPA cookie. Unfortunately, in Liberty V8.5 Alpha, that method doesn't seem to exist. Without purging the SSO cookie the session resurrects itself and I end up back on the main application page instead of logged out.

Is there an alternative to revokeSSOCookies()? Will future versions of the Liberty Profile provide the full profile implementation of WSSecurityHelper?

Thanks!
  • MichaelThompson
    MichaelThompson
    4 Posts

    Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

    ‏2012-11-15T13:49:16Z  
    Some of the capabilities in WSSecurityHelper have been migrated to com.ibm.websphere.security.web.WebSecurityHelper.

    However, revokeSSOCookies() is not available in Liberty Profile 85 as the capabilities it provides are now available through a Java servlet standard API: javax.servlet.http.HttpServletRequest.logout.

    By invoking javax.servlet.http.HttpServletRequest.logout from within your application, the SSO cookie will be removed from the response, so future requests will require re-authentication.

    See JavaDoc: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html
  • kark
    kark
    26 Posts

    Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

    ‏2012-11-15T14:27:57Z  
    Some of the capabilities in WSSecurityHelper have been migrated to com.ibm.websphere.security.web.WebSecurityHelper.

    However, revokeSSOCookies() is not available in Liberty Profile 85 as the capabilities it provides are now available through a Java servlet standard API: javax.servlet.http.HttpServletRequest.logout.

    By invoking javax.servlet.http.HttpServletRequest.logout from within your application, the SSO cookie will be removed from the response, so future requests will require re-authentication.

    See JavaDoc: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html
    Also, the following Liberty profile infocenter covers this:

    http://publib.boulder.ibm.com/infocenter/radhelp/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.multiplatform.doc%2Ftopics%2Frwlp_sec_apis.html

    Specifically:
    •The method revokeSSOCookies(javax.servlet.http.HttpServletRequest req,javax.servlet.http.HttpServletResponse res) is not supported in the Liberty profile. Instead you can use the Servlet 3.0 logout function.

    --Ajay
  • pwilson
    pwilson
    2 Posts

    Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha

    ‏2012-11-15T14:39:29Z  
    Thanks very much. I'll check the Java and Liberty docs for more information.