APAR status
Closed as program error.
Error description
When an application redirects a request to ibm_security_logout, the TAI logouts are not invoked. This can result in a user still being logged in with a TAI. When an application invokes HttpServeletRequest.logout(), the TAI logouts are performed.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: WebSphere form logout does not invoke * * the TAI logouts. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When an application redirects a request to ibm_security_logout, the TAI logouts are not performed. This can result in cookies and cache entries that are not deleted and a TAI may think that a user is still logged in.
Problem conclusion
The WebSphere ibm_security_logout method is updated to perform the TAI logouts. If a TAI commits the response, for instance, to redirect to an external server for logout, the form logout does not redirect to the URL specified on the logoutExitPage parameter of the ibm_security_logout request. Example: ibm_security_logout?logoutExitPage=logon.jsp ======================================== Information for custom TAI devevelopers: The logout method is invoked for all TAIs that implement the com.ibm.wsspi.security.tai.TrustAssociationInterceptorExt interface in addition to the regular com.ibm.wsspi.security.tai.TrustAssociationInterceptor interface. When the logout method is invoked through the form logout path, two parameters are added to the HttpServletRequest: ibm_security_logout logout_exit_page ibm_security_logout is set to true logout_exit_page is set to a normalized value of the logoutExitPage parameter if core security deems the value for logoutExitPage valid, otherwise it is not set. Note that the value of logout_exit_page parameter might be a relative reference. If your custom TAI uses the value for logout_exit_page and requires an absolute URI, your TAI must take this into account. Core security only allows a URI to the current JVM for the logoutExitPage parameter for the ibm_security_logout method when the com.ibm.websphere.security.allowAnyLogoutExitPageHost security custom property is set to false (the default). ======================================== In the past, the administrative console could not be protected by an SSO TAI because, when the console's logout was clicked, the console was not logged out. After APAR PH48145 is active on a JVM, access to the console application can be controlled by a third-party identity provider and a web SSO TAI. When the administrative console is protected by a web SSO TAI and a user navigates to the administrative console URL in a browser, the user is redirected to the identity provider to login. Caution about console timeout: If the console is configured with a non-negative invalidationTimeout value (the default is 30 minutes), the console returns to its default blue login screen when it times out. Regardless of protection by a TAI, this blue login screen requires WebSpere registry credentials, not identity provider credentials. When the console is protected by a TAI, the user can navigate to the console URL again and the application might reload without providing credentials at the blue login screen. This behavior depends on attributes of the identity provider, not attributes of the TAI. Credentials are not required from the identity provider before the application reloads unless both the TAI and the identity provider think that they are required. Since the console's blue login screen requires WebSphere registry credentials and not those of the identity provider, it is recommended to disable the console timeout to prevent user confusion. To disable the administrative console timeout, perform the following actions: 1. Edit (cellRoot)/applications/isclite.ear/deployments/isclite/deployme nt.xml 2. In the tuningParams section, change the setting for invalidationTimeout to -1 3. Save the file 4. Restart the server ======================================== To protect the administrative console with the SAML web SSO TAI, the sso_(id).sp.interceptAdminApp SAML TAI property must be set to true. ======================================== For the OIDC and SAML TAIs, the filter to use for the administrative console is: "/ibm/console(?!/images/)(.*).*". ======================================== * To configure the OIDC TAI for RP-Initiated logout so that it also logs out of the OpenId provider, see APAR PH48083. * To configure the SAML TAI 'filter' property using a regular expression, see APAR PH49373. * The OIDC TAI 'interceptedPathFilter' property accepts regular expressions. To configure the OIDC TAI 'filter' property using a regular expression, see APAR PH49279. * Both PH49279 and PH49373 are delivered in fix packs 8.5.5.23 and 9.0.5.14. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.23 and 9.0.5.14. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH48145
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-07-20
Closed date
2022-08-05
Last modified date
2022-09-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
17 September 2022