This rule flags the following deprecated method from the com.ibm.websphere.security.WSSecurityHelper class:
This method is deprecated in traditional WebSphere Application Server Version 8.5 and might be removed in a future release. It is not available on Liberty.
The functionality provided by WSSecurityHelper.revokeSSOCookies(HttpServletRequest req, HttpServletResponse res) is replaced by the Java Servlet-3.0 specification's logout() method. The Java Servlet-3.0 logout() method will perform all of the work that WSSecurityHelper.revokeSSOCookies(HttpServletRequest req, HttpServletResponse res) performs as well as doing additional state clean up, such as invalidating the session and clearing the security Subject from the thread.
Use the new method to be compatible on both WebSphere Application Server traditional and Liberty. Also note that with the logout() method in use, the application requires WebSphere Application Server V8.0 or later.
In the binary scanner, the automated fix replaces calls to revokeSSOCookies(HttpServletRequest req, HttpServletResponse res) with calls to the logout() method. For example, the following code
is replaced by
This rule has an automated fix. Copy the custom configuration to your application build file to enable it.
For additional information, see