IBM Support

Programmatically logout from WebSphere Application Server (Form Logout) and WebSEAL (pkmslogout)

Troubleshooting


Problem

There is a problem when in WebSphere Application Server and WebSEAL authentication sessions (as distinct from HTTP sessions) are not synchronized. This is a problem only when LTPA SSO is enabled.

Cause

An LTPA cookie can be used to determine the user's session information after the initial TAI invocation. The following scenario is possible:

  1. User A logs into WebSEAL and the TAI signs them onto WebSphere Application Server
  2. WebSphere Application Server returns an LTPA cookie to the browser
  3. User A logs out of WebSEAL
  4. User B logs into WebSEAL and the LTPA cookie erroneously signs them onto WebSphere Application Server as user A

This can be prevented by turning off LTPA SSO or embedding JavaScript into the WebSEAL logout page and login page that empties and expires all of the backend authentication cookies.

However, turning off LTPA SSO will result in TAI being invoked for each request, negatively impacting performance.

Resolving The Problem

This sample servlet demostrates usage of WebSphere Application Server ibm_security_logout (FORM logout) and pkmslogout of WebSeal. The logout servlet logs out user FORM logout servlet (ibm_security_logout) and redirects to WebSEAL pkmslogout:


import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class LogoutServlet extends HttpServlet implements Servlet {
        public LogoutServlet() {
                super();
        }

        protected void doGet(HttpServletRequest arg0, HttpServletResponse arg1) throws ServletException, IOException {
                doPost(arg0,arg1);
        }
        protected void doPost(HttpServletRequest arg0, HttpServletResponse arg1) throws ServletException, IOException {

// Note /../.. depends on from where you are redirecting.
// It has to finally redirect to webseal  pkmslogout.
// Example:  // https://webseal-server/pkmslogout 

String logoutPage="/../../../pkmslogout?filename=logout.html";

String  logoutURL= "ibm_security_logout?logout=Logout&logoutExitPage="+logoutPage;

arg1.sendRedirect(arg1.encodeURL(logoutURL));

  }
}

Related Information

TAI article

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5;8.0;7.0","Edition":"Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21228490

Page Feedback