IBM Support

PK10334; 6.0.2: Unable to use absolute URL for logoutexitpage value

Downloadable files


Receive 404 error when POST to ibm_security_logout servlet.

Download Description

PK10334 resolves the following problem:

Forms based logout is misinterpreting the value for name="logoutExitPage". An absolute value is being specified ('') but it is being converted to a URL relative to the to the application context root, (/myapp/ This causes the browser to issue "404 page not found".

If the logout is done by a call to the special URI "ibm_security_logout" with request parameter logoutExitPage set to an absolute URL this worked with IBM® WebSphere® Application Server V6.0.1. That is, after the logout from Application Server the browser was redirected to the specified (absolute) logoutExitPage URL.

Example (logout button in application html page):

<form method="post" action="ibm_security_logout" name="logout">
<input type="submit" name="logout" value="Logout">
<input type="hidden" name="logoutExitPage"

After the POST to ibm_security_logout, the browser is redirected
to: ''

With Application Server V6.0.2 this has changed. It obviously treats the value of logoutExitPage always as a relative URI. That means, relative to the to the application context root.

Assuming the context root of the application is "/myapp/" the above sample will return a redirect to the URL /myapp/

Of course that does not work and produces a "404 page not found" on the browser.

The change in processing was introduced in APAR PQ97264.

Looking for a way to specify an absolute URL as the LogoutExitPage value.



WebSphere Application Server security users with Form Logout Exit pages.

Receive 404 error when POST to ibm_security_logout servlet


When POST to ibm_security_logout servlet, you may get 404 error if Logout exit page is not relative URI. This is caused by a previous APAR, which enforce all logout exit page be relative URI to Context root.

Since there is no spec for the logout exist page, lot of existing applications do not follow the relative URI rule. We will allow the flexibility on logout page when is set to false.

1. If logout exit page starts with /, it is a relative URI by default.
2. If logout exit page starts with /, and the system property, is set to "true", the logout exit page is treated as absolute URI.
3. If logout page does NOT start with /, it will not be treated as a relative URI, For example, if logout page starts with http:// or 'https://', it is absolute URL, and WebSphere security will use as it is to call sendRedirect.

The fix for this APAR is currently targeted for inclusion in fix pack Please refer to the Recommended Updates page for delivery dates:


Please download the UpdateInstaller below to install this fix.

UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

Readme US English 7723

Download package

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is DD?
6.0.2-WS-WAS-MultiOS-IFPK10334 11/22/2005 US English 10297 FTP DD

Technical support

Contact IBM Support using SR (, visit the WebSphere Application Server Support Web site (, or contact 1-800-IBM-SERV(U.S. only).

Cross reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK

Problems (APARS) fixed

Document information

More support for: WebSphere Application Server

Software version: 6.0.2,,,

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition: Base, Network Deployment

Reference #: 4010999

Modified date: 14 March 2007

Translate this page: