Websphere 6.1 JAAS Logout.

Question

I have an WebApplication on WAS 6.1 using JAAS already working. Authenticates and authorizes in a orderly manner. But my logout page is not deauthorizing the principal. This application works correctly on JBoss an on Glasfish but not on WAS.

My logout page is just a simple JSP with this content.

<%System.out.println("principal is not null:"+(null != request.getUserPrincipal()));

if (null != request.getSession(false))
request.getSession(false).invalidate();
%><jsp:include page="/index.html" />

Am I missing something? I would preffer not to use any specific API from Webpshere but if it is absolutely needed I will.

Answer 1

To succesfully logout this code snippet is also needed:

try {
    com.ibm.websphere.security.WSSecurityHelper.revokeSSOCookies(request, response);
  } catch(Exception e) {
   // catch all possible exceptions if you want or handle them separately
   out.println("JAASLogoutServlet: logout Exception = " + e.getMessage());
   throw new ServletException(e);
}

Answer 2

IBM also implements a form called ibm_security_logout. I've been using it on websphere 7.0, but it exist in previous version. You can find more details my answer to my question :

http://stackoverflow.com/questions/3628796/how-do-i-logout-from-java-ee-container-managed-security