You use the wsadmin utility to modify the properties in the configuration of the Simple
and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere®
Application Server.
About this task
Deprecated feature: In WebSphere Application Server
Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured
resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO
web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable
fallback to the application login method.
You use the wsadmin utility to configure
the SPNEGO TAI for WebSphere Application Server:
Procedure
-
Start WebSphere Application Server.
-
Start the command-line utility by running the wsadmin command from the app_server_root/bin
directory.
-
Start the command-line utility by running the wsadmin command from the app_server_root/bin directory
from the Qshell command line.
-
At the wsadmin prompt, enter the following command:
$AdminTask modifySpnegoTAIProperties
You can
use the following parameters with this command:
Option |
Description |
<spnId> |
This parameter is required. It is the SPN identifier for the group of custom properties that
are to be defined with this command. |
<host> |
This parameter is optional. It specifies the host name portion in the SPN used by the SPNEGO
TAI to establish a Kerberos secure context. |
<filter> |
This parameter is optional. It defines the filtering criteria used by the class specified
with the previous attribute. |
<filterClass> |
This parameter is optional. It specifies the name of the Java™ class used by the SPNEGO TAI
to select which HTTP requests will be subject to SPNEGO authentication. If no class is specified,
all HTTP requests will be subject to SPNEGO authentication. |
<noSpnegoPage> |
This parameter is optional. It specifies the URL of a resource that contains the content the
SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if
it does not support SPNEGO authentication. If you do not specify the noSpnegoPage attribute then
the default is
used: "<html><head><title>SPNEGO
authentication is not supported.
</title></head>" +
"<body>SPNEGO authentication is
not supported on this client.
</body></html>";
|
<ntlmTokenPage> |
This parameter is optional. The ntlmTokenPage parameter specifies the URL of a resource that
contains the content the SPNEGO TAI will include in the HTTP response, which will be displayed by
the (browser) client application. The (browser) client application displays this HTTP response when
the browser client sends a NT LAN manager (NTLM) token instead of the expected SPNEGO token during
the challange-response handshake.If you do not specify the ntlmTokenPage attribute then the
default is
used: "<html><head><title>An NTLM Token
was received.</title></head>"
+ "<body>Your browser configuration
is correct, but you have not
logged into a supported Windows Domain."
+ "<p>Please login to the application
using the normal login page.</html>";
|
<trimUserName> |
This parameter is optional. It specifies whether (true ) or not
(false ) the SPNEGO TAI is to remove the suffix of the principal user name, starting
from the "@" that precedes the Kerberos realm name. If this attribute is set to
true , the suffix of the principal user name is removed. If this attribute is set to
false , the suffix of the principal name is retained. The default value used is
true . |
Results
SPNEGO TAI properties are modified for this WebSphere Application Server.
Example
- Example 1
- The following example configures the SPNEGO TAI to intercept HTTP requests that contain
IE 6
in the user agent request header. The SPNEGO TAI uses the SPN of
HTTP/myhost.ibm.com@<default_realm> to authenticate the request originator. Then the example
modifies the value of the filter custom property that was defined and changes it from
user-agent%=IE 6
to
host==myhost.company.com
.$AdminTask addSpnegoTAIProperties -host myhost.ibm.com -filter user-agent%=IE 6
$AdminTask modifySpnegoTAIProperties -spnId 1 -filter host==myhost.company.com
- Example 2
- This is an example of modifying the SPNEGO TAI for SPN1 properties to add a filter for host
central01.austin.ibm.com.
wsadmin>$AdminTask modifySpnegoTAIProperties -interactive
Modify SPNEGO TAI properties
Modify SPNEGO TAI configuration properties
*Service Principal Name identifier (spnId): 1
Host name in Service Principal Name (host): central01.austin.ibm.com
HTTP header filter rule (filter): request-url!=noSPNEGO;request-url%=snoop
Name of class used to filter HTTP requests (filterClass):
SPNEGO not supported browser response (noSpnegoPage):
NTLM Token received browser response (ntlmTokenPage):
Trim User Name browser response (trimUserName):
Modify SPNEGO TAI properties
F (Finish)
C (Cancel)
Select [F, C]: [F] f
WASX7278I: Generated command line: $AdminTask modifySpnegoTAIProperties {-spnId
1 -host w2003secdev.austin.ibm.com -filter request-url!=noSPNEGO;request-url%=sn
oop}
com.ibm.ws.security.spnego.SPN1.filter=request-url!=noSPNEGO;request-url%=snoop
com.ibm.ws.security.spnego.SPN1.hostName=central01.austin.ibm.com
wsadmin>