This rule flags the following method from the com.ibm.websphere.security.WSSecurityHelper class:

• getLTPACookieFromSSOToken()

This method is deprecated in traditional WebSphere Application Server Version 8.5 and might be removed in a future release. It is not available on Liberty.

The functionality provided by WSSecurityHelper.getLTPACookieFromSSOToken() is replaced by the new method com.ibm.websphere.security.web.WebSecurityHelper.getSSOCookieFromSSOToken(). Note that this new method is in the class com.ibm.websphere.security.web.WebSecurityHelper, not com.ibm.websphere.security.WSSecurityHelper. This method will extract the SSO token from the subject of current thread and builds an SSO cookie out of it for use on downstream web invocations.

Use the new method to be compatible on both WebSphere Application Server traditional and Liberty. Also note that with the getSSOCookieFromSSOToken() method in use, the application requires WebSphere Application Server V8.0 or later.

The automated fix replaces the calls to WSSecurityHelper.getLTPACookieFromSSOToken() with calls to the WebSecurityHelper.getSSOCookieFromSSOToken() method. An import statement for com.ibm.websphere.security.web.WebSecurityHelper is added if needed. For example, the following code

is replaced by

This rule has an automated fix. Copy the custom configuration to your application build file to enable it.

For additional information, see

• Class WebSecurityHelper Java documentation.
• Class WSSecurityHelper Java documentation.
• Using a WebSphere Application Server API to achieve downstream web single sign-on with an LtpaToken2 cookie documentation.