I've got an application which is using form based authentication to provide security. Things work fine until I attempt to log a user out. Besides invalidating the session via HttpSession.invalidate(), I'd also like to call WSSecurityHelper.revokeSSOCookies() to remove the LTPA cookie. Unfortunately, in Liberty V8.5 Alpha, that method doesn't seem to exist. Without purging the SSO cookie the session resurrects itself and I end up back on the main application page instead of logged out.
Is there an alternative to revokeSSOCookies()? Will future versions of the Liberty Profile provide the full profile implementation of WSSecurityHelper?
This topic has been locked.
3 replies Latest Post - 2012-11-15T14:39:29Z by pwilson
Pinned topic Purging SSO cookies on the Liberty Profile V8.5.Next Alpha
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
MichaelThompson 06000274WA4 PostsACCEPTED ANSWER
Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha2012-11-15T13:49:16Z in response to pwilsonSome of the capabilities in WSSecurityHelper have been migrated to com.ibm.websphere.security.web.WebSecurityHelper.
However, revokeSSOCookies() is not available in Liberty Profile 85 as the capabilities it provides are now available through a Java servlet standard API: javax.servlet.http.HttpServletRequest.logout.
By invoking javax.servlet.http.HttpServletRequest.logout from within your application, the SSO cookie will be removed from the response, so future requests will require re-authentication.
See JavaDoc: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html
kark 110000716N26 PostsACCEPTED ANSWER
Re: Purging SSO cookies on the Liberty Profile V8.5.Next Alpha2012-11-15T14:27:57Z in response to MichaelThompsonAlso, the following Liberty profile infocenter covers this:
•The method revokeSSOCookies(javax.servlet.http.HttpServletRequest req,javax.servlet.http.HttpServletResponse res) is not supported in the Liberty profile. Instead you can use the Servlet 3.0 logout function.