This rule flags the following deprecated methods from the com.ibm.websphere.security.WSSecurityHelper class:
These methods are deprecated in traditional WebSphere Application Server Version 8.5 and might be removed in a future release. They are not available on Liberty.
The functionality provided by WSSecurityHelper.revokeSSOCookies(HttpServletRequest req, HttpServletResponse res) is replaced by the Java Servlet-3.0 specification's logout() method. The Java Servlet-3.0 logout() method will perform all of the work that WSSecurityHelper.revokeSSOCookies(HttpServletRequest req, HttpServletResponse res) performs as well as doing additional state clean up, such as invalidating the session and clearing the security Subject from the thread.
In the binary scanner, the automated fix replaces calls to revokeSSOCookies(HttpServletRequest req, HttpServletResponse res) with calls to the logout() method. For example, the following code
|
import javax.servlet.http.HttpServletRequest;
... WSSecurityHelper.revokeSSOCookies(req, res); |
is replaced by
|
import javax.servlet.http.HttpServletRequest;
... req.logout(); |
The functionality provided by WSSecurityHelper.getLTPACookieFromSSOToken() is replaced by the new method com.ibm.websphere.security.web.WebSecurityHelper.getSSOCookieFromSSOToken(). Note that this new method is in the class com.ibm.websphere.security.web.WebSecurityHelper, not com.ibm.websphere.security.WSSecurityHelper. This method will extract the SSO token from the subject of current thread and builds an SSO cookie out of it for use on downstream web invocations.
In the binary scanner, the Automated fix replaces calls to WSSecurityHelper.getLTPACookieFromSSOToken() with calls to the WebSecurityHelper.getSSOCookieFromSSOToken() method. An import statement for com.ibm.websphere.security.web.WebSecurityHelper is added if needed. For example, the following code
|
import javax.servlet.http.Cookie; import com.ibm.websphere.security.WSSecurityHelper; ... Cookie ltpaCookie = WSSecurityHelper.getLTPACookieFromSSOToken(); |
is replaced by
|
import javax.servlet.http.Cookie; import com.ibm.websphere.security.WSSecurityHelper; import com.ibm.websphere.security.web.WebSecurityHelper; ... Cookie ltpaCookie = WebSecurityHelper.getSSOCookieFromSSOToken(); |
Use the new methods to be compatible on both WebSphere Application Server traditional and Liberty. Also note that with the logout() and getSSOCookieFromSSOToken() methods in use, the application requires WebSphere Application Server V8.0 or later.
This rule has an automated fix. Copy the custom configuration to your application build file to enable it.
For additional information, see