IBM Support

PH48145: WEBSPHERE FORMLOGOUT DOES NOT INVOKE TAI LOGOUTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When an application redirects a request to
ibm_security_logout, the TAI logouts are not invoked.  This can
result in a user still being logged in with a TAI.

When an application invokes HttpServeletRequest.logout(), the
TAI logouts are performed.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere form logout does not invoke   *
*                      the TAI logouts.                        *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
When an application redirects a request to ibm_security_logout,
the TAI logouts are not performed.  This can result in cookies
and cache entries that are not deleted and a TAI may think
that a user is still logged in.

    



Problem conclusion


    

  • The WebSphere ibm_security_logout method is updated to perform
the TAI logouts.

If a TAI commits the response, for instance, to redirect to an
external server for logout, the form logout does not redirect to
the URL specified on the logoutExitPage parameter of the
ibm_security_logout request.  Example:

ibm_security_logout?logoutExitPage=logon.jsp

========================================
Information for custom TAI devevelopers:

The logout method is invoked for all TAIs that implement the
com.ibm.wsspi.security.tai.TrustAssociationInterceptorExt
interface in addition to the regular
com.ibm.wsspi.security.tai.TrustAssociationInterceptor
interface.

When the logout method is invoked through the form logout
path, two parameters are added to the HttpServletRequest:

ibm_security_logout
logout_exit_page

ibm_security_logout is set to true

logout_exit_page is set to a normalized value of the
logoutExitPage parameter if core security deems the value for
logoutExitPage valid, otherwise it is not set.  Note that the
value of logout_exit_page parameter might be a relative
reference.  If your custom TAI uses the value
for logout_exit_page and requires an absolute URI, your TAI
must take this into account.

Core security only allows a URI to the current JVM for the
logoutExitPage parameter for the ibm_security_logout method
when the com.ibm.websphere.security.allowAnyLogoutExitPageHost
security custom property is set to false (the default).

========================================
In the past, the administrative console could not be protected
by an SSO TAI because, when the console's logout was clicked,
the console was not logged out.

After APAR PH48145 is active on a JVM, access to the console
application can be controlled by a third-party identity provider
and a web SSO TAI.

When the administrative console is protected by a web SSO TAI
and a user navigates to the administrative console URL in a
browser, the user is redirected to the identity provider to
login.

Caution about console timeout:

If the console is configured with a non-negative
invalidationTimeout value (the default is 30 minutes), the
console returns to its default blue login screen when it times
out.  Regardless of protection by a TAI, this blue login screen
requires WebSpere registry credentials, not identity provider
credentials.  When the console is protected by a TAI, the user
can navigate to the console URL again and the application might
reload without providing credentials at the blue login screen.
This behavior depends on attributes of the identity provider,
not attributes of the TAI. Credentials are not required from the
identity provider before the application reloads unless both the
TAI and the identity provider think that they are required.

Since the console's blue login screen requires WebSphere
registry credentials and not those of the identity provider, it
is recommended to disable the console timeout to prevent user
confusion.  To disable the administrative console timeout,
perform the following actions:

1. Edit
(cellRoot)/applications/isclite.ear/deployments/isclite/deployme
nt.xml
2. In the tuningParams section, change the setting for
invalidationTimeout to -1
3. Save the file
4. Restart the server

========================================
To protect the administrative console with the SAML web SSO TAI,
the sso_(id).sp.interceptAdminApp SAML TAI property must be set
to true.

========================================
For the OIDC and SAML TAIs, the filter to use for the
administrative console is:
"/ibm/console(?!/images/)(.*).*".

========================================
* To configure the OIDC TAI for RP-Initiated logout so that it
also logs out of the OpenId provider, see APAR PH48083.
* To configure the SAML TAI 'filter' property using a regular
expression, see APAR PH49373.
* The OIDC TAI 'interceptedPathFilter' property accepts regular
expressions.  To configure the OIDC TAI 'filter' property using
a regular expression, see APAR PH49279.
* Both PH49279 and PH49373 are delivered in fix packs 8.5.5.23
and 9.0.5.14.


The fix for this APAR is targeted for inclusion in fix packs
8.5.5.23 and 9.0.5.14. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH48145
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-07-20
    • 

  • Closed date
    2022-08-05
    • 

  • Last modified date
    2022-09-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback