3

Environment

  • Richfaces 3.3.3
  • JSF 1.2
  • Siteminder

Requirement

User enters the required application address. Siteminder intercepts and asks for username and password. Client provides with credentials. Clients uses application and clicks on logout/exit button. Application destroys sessions and redirects 302 to same application address and Siteminder should intercept again.

Problem

I am trying to logout from richfaces application which is logged in from siteminder. after logout, rather going to login page of siteminder it comes back to main page of application. Seems like it is killing the application session but not the siteminder session. Is there a way to logout siteminder ?

Code

public String logout() {
    ExternalContext ec = FacesContext.getCurrentInstance().getExternalContext();
    HttpSession session = (HttpSession)ec.getSession(false);

    if (session != null) {
        session.invalidate();
    }

    try {
        String redirectPath = "https://abcd.xyz.com/context/start.jsf";
        ec.redirect(redirectPath);
    } catch (IOException e) {
        e.printStackTrace();
    }

return null;

Log

com.ibm.ws.webcontainer.servlet.ServletWrapper doDestroy SRVE0253I [hostname] [/context] [uri]: Destroy successfull. com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I [hostname] [/context] [uri]: Initialization successfull.

Pradeep Kumar
  • 79
  • 1
  • 10

2 Answers2

2

I forcibly do a redirect by using the below code in servletfilter if the SM_USER value in header is null / empty.

if(servletPath.trim().equals("/login/logout.do")){
                    log.debug("User Logged Out. Redirecting to " + contextPath + homeLink);
                    RequestDispatcher rd = request.getRequestDispatcher(homeLink);
                    rd.forward(request, response);
                    return;                 
                }
Punter Vicky
  • 15,954
  • 56
  • 188
  • 315
0

You need to update the Agent Configuration Object (ACO) for the Web Agent that is hosting the application. The LogOffUri parameter instructs the SiteMinder Web Agent to destroy the SMSESSION (actually sets the value to LOGGEDOFF).

If you configure the URI specified in the LogOffUri ACO parameter to redirect the user back to the application's main URL, the WebAgent will detect that the SMSESSION is not valid and will send the user to the login page.

bcarroll
  • 1,727
  • 16
  • 14