JSF Siteminder logout

Question

Environment

• Richfaces 3.3.3
• JSF 1.2
• Siteminder

Requirement

User enters the required application address. Siteminder intercepts and asks for username and password. Client provides with credentials. Clients uses application and clicks on logout/exit button. Application destroys sessions and redirects 302 to same application address and Siteminder should intercept again.

Problem

I am trying to logout from richfaces application which is logged in from siteminder. after logout, rather going to login page of siteminder it comes back to main page of application. Seems like it is killing the application session but not the siteminder session. Is there a way to logout siteminder ?

Code

public String logout() {
    ExternalContext ec = FacesContext.getCurrentInstance().getExternalContext();
    HttpSession session = (HttpSession)ec.getSession(false);

    if (session != null) {
        session.invalidate();
    }

    try {
        String redirectPath = "https://abcd.xyz.com/context/start.jsf";
        ec.redirect(redirectPath);
    } catch (IOException e) {
        e.printStackTrace();
    }

return null;

Log

com.ibm.ws.webcontainer.servlet.ServletWrapper doDestroy SRVE0253I [hostname] [/context] [uri]: Destroy successfull. com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I [hostname] [/context] [uri]: Initialization successfull.

Answer 1

I forcibly do a redirect by using the below code in servletfilter if the SM_USER value in header is null / empty.

if(servletPath.trim().equals("/login/logout.do")){
                    log.debug("User Logged Out. Redirecting to " + contextPath + homeLink);
                    RequestDispatcher rd = request.getRequestDispatcher(homeLink);
                    rd.forward(request, response);
                    return;                 
                }