IBM Support

Programmatically logout from WebSphere Application Server (Form Logout) and WebSEAL (pkmslogout)

Technote (troubleshooting)


This document applies only to the following language version(s):

English

Problem(Abstract)

There is a problem when in WebSphere Application Server and WebSEAL authentication sessions (as distinct from HTTP sessions) are not synchronized. This is a problem only when LTPA SSO is enabled.

Cause

An LTPA cookie can be used to determine the user's session information after the initial TAI invocation. The following scenario is possible:

  1. User A logs into WebSEAL and the TAI signs them onto WebSphere Application Server
  2. WebSphere Application Server returns an LTPA cookie to the browser
  3. User A logs out of WebSEAL
  4. User B logs into WebSEAL and the LTPA cookie erroneously signs them onto WebSphere Application Server as user A

This can be prevented by turning off LTPA SSO or embedding JavaScript into the WebSEAL logout page and login page that empties and expires all of the backend authentication cookies.

However, turning off LTPA SSO will result in TAI being invoked for each request, negatively impacting performance.


Resolving the problem

This sample servlet demostrates usage of WebSphere Application Server ibm_security_logout (FORM logout) and pkmslogout of WebSeal. The logout servlet logs out user FORM logout servlet (ibm_security_logout) and redirects to WebSEAL pkmslogout:


import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class LogoutServlet extends HttpServlet implements Servlet {
        public LogoutServlet() {
                super();
        }

        protected void doGet(HttpServletRequest arg0, HttpServletResponse arg1) throws ServletException, IOException {
                doPost(arg0,arg1);
        }
        protected void doPost(HttpServletRequest arg0, HttpServletResponse arg1) throws ServletException, IOException {

// Note /../.. depends on from where you are redirecting.
// It has to finally redirect to webseal  pkmslogout.
// Example:  // https://webseal-server/pkmslogout 

String logoutPage="/../../../pkmslogout?filename=logout.html";

String  logoutURL= "ibm_security_logout?logout=Logout&logoutExitPage="+logoutPage;

arg1.sendRedirect(arg1.encodeURL(logoutURL));

  }
}

Related information

TAI article


Cross reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK

Document information

More support for: WebSphere Application Server
Security

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Network Deployment

Reference #: 1228490

Modified date: 23 January 2006