IBM Support


Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.


APAR status

  • Closed as program error.

Error description

  • When an application redirects a request to
    ibm_security_logout, the TAI logouts are not invoked.  This can
    result in a user still being logged in with a TAI.
    When an application invokes HttpServeletRequest.logout(), the
    TAI logouts are performed.

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    * PROBLEM DESCRIPTION: WebSphere form logout does not invoke   *
    *                      the TAI logouts.                        *
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    When an application redirects a request to ibm_security_logout,
    the TAI logouts are not performed.  This can result in cookies
    and cache entries that are not deleted and a TAI may think
    that a user is still logged in.

Problem conclusion

  • The WebSphere ibm_security_logout method is updated to perform
    the TAI logouts.
    If a TAI commits the response, for instance, to redirect to an
    external server for logout, the form logout does not redirect to
    the URL specified on the logoutExitPage parameter of the
    ibm_security_logout request.  Example:
    Information for custom TAI devevelopers:
    The logout method is invoked for all TAIs that implement the
    interface in addition to the regular
    When the logout method is invoked through the form logout
    path, two parameters are added to the HttpServletRequest:
    ibm_security_logout is set to true
    logout_exit_page is set to a normalized value of the
    logoutExitPage parameter if core security deems the value for
    logoutExitPage valid, otherwise it is not set.  Note that the
    value of logout_exit_page parameter might be a relative
    reference.  If your custom TAI uses the value
    for logout_exit_page and requires an absolute URI, your TAI
    must take this into account.
    Core security only allows a URI to the current JVM for the
    logoutExitPage parameter for the ibm_security_logout method
    when the
    security custom property is set to false (the default).
    In the past, the administrative console could not be protected
    by an SSO TAI because, when the console's logout was clicked,
    the console was not logged out.
    After APAR PH48145 is active on a JVM, access to the console
    application can be controlled by a third-party identity provider
    and a web SSO TAI.
    When the administrative console is protected by a web SSO TAI
    and a user navigates to the administrative console URL in a
    browser, the user is redirected to the identity provider to
    Caution about console timeout:
    If the console is configured with a non-negative
    invalidationTimeout value (the default is 30 minutes), the
    console returns to its default blue login screen when it times
    out.  Regardless of protection by a TAI, this blue login screen
    requires WebSpere registry credentials, not identity provider
    credentials.  When the console is protected by a TAI, the user
    can navigate to the console URL again and the application might
    reload without providing credentials at the blue login screen.
    This behavior depends on attributes of the identity provider,
    not attributes of the TAI. Credentials are not required from the
    identity provider before the application reloads unless both the
    TAI and the identity provider think that they are required.
    Since the console's blue login screen requires WebSphere
    registry credentials and not those of the identity provider, it
    is recommended to disable the console timeout to prevent user
    confusion.  To disable the administrative console timeout,
    perform the following actions:
    1. Edit
    2. In the tuningParams section, change the setting for
    invalidationTimeout to -1
    3. Save the file
    4. Restart the server
    To protect the administrative console with the SAML web SSO TAI,
    the sso_(id).sp.interceptAdminApp SAML TAI property must be set
    to true.
    For the OIDC and SAML TAIs, the filter to use for the
    administrative console is:
    * To configure the OIDC TAI for RP-Initiated logout so that it
    also logs out of the OpenId provider, see APAR PH48083.
    * To configure the SAML TAI 'filter' property using a regular
    expression, see APAR PH49373.
    * The OIDC TAI 'interceptedPathFilter' property accepts regular
    expressions.  To configure the OIDC TAI 'filter' property using
    a regular expression, see APAR PH49279.
    * Both PH49279 and PH49373 are delivered in fix packs
    The fix for this APAR is targeted for inclusion in fix packs and For more information, see 'Recommended
    Updates for WebSphere Application Server':

Temporary fix


APAR Information

  • APAR number


  • Reported component name


  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name


  • Fixed component ID


Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 September 2022