The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) custom configuration properties control different operational aspects of the SPNEGO TAI. You can specify different property values for each application server.
Each of the properties defined in the following table is specified in the Custom Properties panel for the SPNEGO TAI using the administrative console facility. For convenience, you can optionally place these properties in a properties file. In this case, the SPNEGO TAI loads the configuration properties from the file instead of the Custom Properties panel definition. Refer to com.ibm.ws.security.spnego.propertyReloadFile property as defined in SPNEGO TAI JVM configuration custom properties.
To assign unique property names that identify each possible SPN, an SPN<id> is embedded in the property name and used to group the properties that are associated with each SPN. The SPN<id>s are numbered sequentially for each property group.
Property Name | Required | Default Value |
---|---|---|
com.ibm.ws.security.spnego.SPN<id>.hostName | Yes | None |
com.ibm.ws.security.spnego.SPN<id>.filterClass | No | See the description that follows. |
com.ibm.ws.security.spnego.SPN<id>.filter | No | See the description that follows. |
com.ibm.ws.security.spnego.SPN<id>.enableCredDelegate | No | false |
com.ibm.ws.security.spnego.SPN<id>.spnegoNotSupportedPage | No | See the description that follows. |
com.ibm.ws.security.spnego.SPN<id>.NTLMTokenReceivedPage | No | See the description that follows. |
com.ibm.ws.security.spnego.SPN<id>.trimUserName | No | true |
Each condition is specified with a key-value pair, separated from each other by a semicolon. The conditions are evaluated from left to right, as they display in the specified property. If all conditions are met, the HTTP request is selected for SPNEGO authentication.
The key and value in the key-value pair are separated by an operator that defines which condition is checked. The key identifies an HTTP request header to extract from the request and its value is compared with the value that is specified in the key-value pair according to the operator specification. If the header that is identified by the key is not present in the HTTP request, the condition is treated as not being met.
String url = request.getRequestURL() + ‘?’ + request.getQueryString();
Condition | Operator | Example |
---|---|---|
Match exactly | = = Arguments are compared as equal. |
host=host.my.company.com |
Match partially (includes) | %= Arguments are compared with a partial match being valid. |
user-agent%=IE 6 |
Match partially (includes one of many) | ^= Arguments are compared with a partial match being valid for one of many arguments specified. |
request-url^=webApp1|webApp2|webApp3 |
Does not match | != Arguments are compared as not equal. |
request-url!=noSPNEGO |
Greater than | > Arguments are compared lexogaphically as greater than. |
remote-address>192.168.255.130 |
Less than | < Arguments are compared lexographically as less than. |
remote-address<192.168.255.135 |
This property requires use of the advanced Kerberos credential delegation feature and requires development of custom logic by the application developer. The developer must interact directly with the Kerberos Ticket Granting Service (TGS) to obtain a Ticket Granting Ticket (TGT) using the delegated Kerberos credentials on behalf of the end-user who originated the request. The developer must also construct the appropriate Kerberos SPNEGO token and include it in the HTTP request to continue the downstream SPNEGO authentication process, including handling additional SPNEGO challenge-response exchange, if necessary.
<html><head><title>SPNEGO authentication is not supported</title></head> <body>SPNEGO authentication is not supported on this client</body></html>;
<html><head><title>An NTLM Token was received.</title></head> <body>Your browser configuration is correct, but you have not logged into a supported Microsoft(R) Windows(R) Domain. <p>Please login to the application using the normal login page.</html>
bobsmith@myKerberosRealm becomes bobsmith
bobsmith@myKerberosRealm remains bobsmith@myKerberosRealm