Troubleshooting
Problem
There is a problem when in WebSphere Application Server and WebSEAL authentication sessions (as distinct from HTTP sessions) are not synchronized. This is a problem only when LTPA SSO is enabled.
Cause
An LTPA cookie can be used to determine the user's session information after the initial TAI invocation. The following scenario is possible:
- User A logs into WebSEAL and the TAI signs them onto WebSphere Application Server
- WebSphere Application Server returns an LTPA cookie to the browser
- User A logs out of WebSEAL
- User B logs into WebSEAL and the LTPA cookie erroneously signs them onto WebSphere Application Server as user A
This can be prevented by turning off LTPA SSO or embedding JavaScript into the WebSEAL logout page and login page that empties and expires all of the backend authentication cookies.
However, turning off LTPA SSO will result in TAI being invoked for each request, negatively impacting performance.
Resolving The Problem
This sample servlet demostrates usage of WebSphere Application Server ibm_security_logout (FORM logout) and pkmslogout of WebSeal. The logout servlet logs out user FORM logout servlet (ibm_security_logout) and redirects to WebSEAL pkmslogout:
import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class LogoutServlet extends HttpServlet implements Servlet {
public LogoutServlet() {
super();
}
protected void doGet(HttpServletRequest arg0, HttpServletResponse arg1) throws ServletException, IOException {
doPost(arg0,arg1);
}
protected void doPost(HttpServletRequest arg0, HttpServletResponse arg1) throws ServletException, IOException {
// Note /../.. depends on from where you are redirecting.
// It has to finally redirect to webseal pkmslogout.
// Example: // https://webseal-server/pkmslogout
String logoutPage="/../../../pkmslogout?filename=logout.html";
String logoutURL= "ibm_security_logout?logout=Logout&logoutExitPage="+logoutPage;
arg1.sendRedirect(arg1.encodeURL(logoutURL));
}
}
Related Information
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21228490