Filtering HTTP requests for SPNEGO TAI (deprecated)
You can use a system programming interface to customize the behavior of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) by specifying whether or not a particular HTTP request should be intercepted.
Before you begin
In WebSphere® Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.
About this task
The default behavior of the SPNEGO TAI is to not intercept HTTP requests. This default behavior ensures that the SPNEGO TAI can be installed into an existing cell, configured for a single application server and not change any other application servers in the cell. Other WebSphere Application Servers can run exactly as before within a given configuration.
Procedure
- Set the
com.ibm.ws.security.spnego.isEnabled
Java™ virtual machine (JVM) custom property totrue
to enable the SPNEGO TAI on any JVM. - Identify when the SPNEGO TAI intercepts a given request. A set
of filter properties is provided, but you must determine what is appropriate
and modify the
com.ibm.ws.security.spnego.SPN<id>.filter class
accordingly.