Configuring JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WebSphere Application Server (deprecated)
Performing this task helps you, as web administrator, to ensure that WebSphere® Application Server is configured to enable the operation of the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) trust association interceptor (TAI) with the required Java™ virtual machine (JVM) property and with the appropriate filtering of HTTP requests.
Before you begin
About this task
Verify the configuration of your SPNEGO TAI. The deployment of the SPNEGO TAI can vary from a single WebSphere Application Server system on which a single application is running to a large multinode WebSphere Application Server Network Deployment (ND) cell, with dozens of application servers, hosting many applications. Every SPNEGO TAI is installed at the cell level. You must be aware of your particular SPNEGO TAI configuration.
The default behavior of the SPNEGO TAI is to not intercept HTTP requests. This default behavior ensures that the SPNEGO TAI can be installed into an existing cell, configured for a single application server and not change any other application servers in the cell. Other WebSphere Application Server can run exactly as before within a given configuration.
com.ibm.ws.security.spnego.SPN<id>.filterClass
and intercept all requests.
com.ibm.ws.security.spnego.SpnegoFilter
allows you to implement a custom filter to
determine whether or not to intercept a particular HTTP request. With the default implementation,
you can set filter rules for coarse as well as fine-grained criteria in selecting which HTTP
requests to intercept.Complete the following steps to enable the operation of the SPNEGO TAI with your selected filtering and with the JVM required property.
Procedure
- Log on to WebSphere Application Server administrative console.
- Click Servers > Application servers.
- Select the appropriate server. Under Server Infrastructure, expand Java and process management > Process Definition.
- Click Java virtual machine. Under Additional Properties, click Custom
Properties. Create a new custom property, if required, by clicking New, then code
com.ibm.ws.security.spnego.isEnabled
in the name field andtrue
in the value field. - Click Apply > OK to save the configuration
- Identify when the SPNEGO TAI intercepts a given request. A set of filter properties is
provided, but you must determine what is appropriate and modify the
com.ibm.ws.security.spnego.SPN<id>.filterClass
accordingly.
Results
The application server is configured and ready to provide a single sign-on environment for end users who have successfully authenticated in a Microsoft Active Directory domain. You must restart each application server that is configured for SPNEGO web authentication. Then your SPNEGO TAI is set to filter HTTP request when it is operating.