会话无效不适用于基于LTPA的安全性 [英] Session Invalidate not Working with LTPA-based Security
问题描述
我通常使用JSP处理站点注销,该JSP执行<%= session.invalidate()%>,然后重定向到主页.现在,我正在使用LTPA和SSL证书在WebSphere上运行身份验证. Session.invalidate()不起作用.有人建议这是因为WAS正在使用LTPA. LTPA创建一个不会被session.invalidate清除的身份验证cookie(LtpaToken2).
I normally handle site logout with a JSP that executes <%= session.invalidate() %> then redirects to the home page. Now I am running on WebSphere authenticating using LTPA and a SSL Certificate. Session.invalidate() does not work. Someone suggested it is because WAS is using LTPA. LTPA creates an authentication cookie (LtpaToken2) that is not cleared by session.invalidate.
IBM确实可以使用专有的注销JSP ***,但是我不想使用特定于供应商的解决方案.是否有人解决了注销LTPA cookie而不绑定到供应商的J2EE容器的会话注销?
IBM does have a proprietary logout JSP*** I could use, but I don't want to use a vendor specific solution. Has anybody tackled a session logout that clears the LTPA cookie without being tied to a vendor's J2EE container?
推荐答案
我找到了解决方法:
- 在管理控制台中,单击
Security>Global security - 在
Custom properties下,单击New - 在名称"字段中,输入
com.ibm.ws.security.web.logoutOnHTTPSessionExpire - 在值"字段中,输入
true - 单击
Apply和Save将更改保存到您的配置中 - 重新同步并重新启动服务器
- In the administrative console, click
Security>Global security - Under
Custom properties, clickNew - In the Name field, enter
com.ibm.ws.security.web.logoutOnHTTPSessionExpire - In the Values field, enter
true - Click
ApplyandSaveto save the changes to your configuration - Resynchronize and restart the server
这篇关于会话无效不适用于基于LTPA的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
