Customizing web application logout

WebSphere® Application Server logout enables an application to log out a user without having to close all web-browser sessions. After you log out of WebSphere Application Server, access to a protected web resource requires reauthentication.

About this task

An application can log a user out of a web server by using one of the following mechanisms:
HttpServletRequest.logout()

The Java™ Servlet 3.0 specification provides an API method that is called HttpServletRequest.logout(), which invalidates the security context and the HTTP session still exists. When you call the HttpServletRequest.logout() method, the active user is logged out of WebSphere Application Server.

Form logout

Java Platform, Enterprise Edition (J2EE) specifications do not require form logout, but it is provided as an extra feature in WebSphere Application Server security.

Suppose that you want to log out of a web application after you perform some actions. A form logout works in the following manner:
  1. The logout-form URI is specified in the web browser and loads the form.
  2. The user clicks Submit on the form to log out.
  3. The WebSphere Application Server security code logs out the user. During this process, the WebSphere Application Server completes the following processes:
    1. Clears the Lightweight Third Party Authentication (LTPA) / single sign-on (SSO) cookies
    2. Invalidates the HTTP session
    3. Removes the user from the authentication cache
  4. Upon logout, the user is redirected to a logout exit page.

Form logout does not require any attributes in a deployment descriptor. The form-logout page is an HTML or a JavaServer Pages (JSP) file that is included with the web application. The form-logout page is like most HTML forms except that like the form-login page, the form-logout page has a special post action. The web container recognizes the post action, which dispatches the post action to a special internal form-logout servlet. The post action in the form-logout page must be ibm_security_logout.

You can specify a logout-exit page in the logout form. The exit page can represent an HTML or a JSP file within the same web application to which the user is redirected after you log out. Also, the logout-exit page enables a fully qualified URL in the form of http://hostname:port/URL. The logout-exit page is specified as a parameter in the form-logout page. If no logout-exit page is specified, a default logout HTML message is returned to the user.

Procedure

  1. Implement a logout in your application.
  2. Optional: If you are implementing a form logout, create a logout page with the required look.
  3. Optional: If you are implementing a form logout and your logout page is not on the same host to which the request is made, complete one of the following steps.
    Attention: If you do not set one of these security custom properties, a generic logout is displayed instead of your custom logout page that is on the external host.
    • Add the external hostname to the list of hosts on the com.ibm.websphere.security.logoutExitPageDomainList security custom property.
    • Set the com.ibm.websphere.security.allowAnyLogoutExitPageHost security custom property to true.
      Attention: Setting this property to true might open your system to a URL redirect attack.

HttpServletRequest.logout() example

import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class SAMLLogoutServlet extends HttpServlet implements Servlet {
    public LogoutServlet() {
        super();
    }
    protected void doGet(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
        doPost(req,rsp);
    }
    protected void doPost(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
        req.logout();
    }
}

Form logout with Java example

This sample servlet uses the form logout servlet (ibm_security_logout) and redirects to your logout page.

import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class LogoutServlet extends HttpServlet implements Servlet {
    public LogoutServlet() {
        super();
    }
    protected void doGet(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
        doPost(req,rsp);
    }
    protected void doPost(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {

        String logoutPage="yourLogout.html";  //logout page that you implemented

        String logoutURL= "ibm_security_logout?logout=Logout&logoutExitPage="+logoutPage;

        rsp.sendRedirect(rsp.encodeURL(logoutURL));
    }
}

Form logout with HTML example

This sample form logout HTML configures logoutExitPage to redirect the user back to the login page, login.html, after logout.

<!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<meta http-equiv = "pragma" content="no-cache">
<title>Logout Page </title>
<body>
<h2>Sample form fogout</h2>
<form method="POST" action="ibm_security_logout" name="logout">
   <p>
   <br/>
   <br/>
   <font size="2"><strong>Click this button to log out: </strong></font>
   <input type="submit" name="logout" value="Logout">
   <input type="hidden" name="logoutExitPage" value="/login.html">
   </p>
</form>
</body>
</html>