SPNEGO Web authentication filter commands
Use wsadmin commands to add, modify, delete, or show SPNEGO Web authentication filters in the security configuration.
Add SPNEGO web authentication filter
Use the addSpnegoFilter command to add a new SPNEGO Web authentication filter in the security configuration.
wsadmin>$AdminTask help addSpnegoFilterYou can use the following parameters with the addSpnegoFilter command:
Table 1. Command parameters
Option Description <hostName> Required. Use to supply a fully-qualified host name. <krb5Realm> Optional. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used. <filterCriteria> Optional. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO. <filterClass> Optional. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used. <trimUserName> Optional. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name. <enabledGssCredDelegate> Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true. <spnegoNotSupportedPage> Optional. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used. <ntlmTokenReceivedPage> Optional. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.
The following is an example of the addSpnegoFilter command:
wsadmin>$AdminTask addSpnegoFilter { -hostName ks.mpls.setgetweb.com -krb5Realm WSSEC.AUSTIN.IBM.COM}
Modify SPNEGO web authentication filter
Use the modifySpnegoFilter command to modify SPNEGO filter attributes in the security configuration.
wsadmin>$AdminTask help modifySpnegoFilterYou can use the following parameters with the modifySpnegoFilter command:
Table 2. Command parameters
Option Description <hostName> Required. Use to supply a long host name. The hostname is an identifier, so we can not modify the hostname. <krb5Realm> Optional. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used. <filterCriteria> Optional. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO. Read about Enable and configuring SPNEGO Web authentication for more information about filter criteria.
<filterClass> Optional. Use to supply the HTTP request filter rules. If the filterClass is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used. <trimUserName> Optional. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name. <enabledGssCredDelegate> Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true. <spnegoNotSupportedPage> Optional. Use to supply the URI of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used. <ntlmTokenReceivedPage> Optional. Use to supply the URI of the resource with a response to be used when an NTLM token is received. If this parameter is not specified, the default NTLM token received error page is used.
The following is an example of the modifySpnegoFilter command:
wsadmin>$AdminTask modifySpnegoFilter { -hostName ks.mpls.setgetweb.com -krb5Realm WSSEC.AUSTIN.IBM.COM}
Delete SPNEGO web authentication filter
Use the deleteSpnegoFilter command to remove SPNEGO a Web authentication filter from the security configuration. If a host name is not specified, all of the SPNEGO Web authentication filters are removed.
wsadmin>$AdminTask help deleteSpnegoFilter
You can use the following parameter with the deleteSpnegoFilter command:
Table 3. Command parameters
Option Description <hostname> Required. If the hostname is not specified, all of the SPNEGO Web authentication filters are deleted.
The following is an example of the deleteSpnegoFilter command:
wsadmin> $AdminTask deleteSpnegoFilter {-hostName ks.mpls.setgetweb.com}
Show SPNEGO web authentication filter
Use the showSpnegoFilter command to display a SPNEGO Web authentication filter in the security configuration. If a host name is not specified, all of the SPNEGO filters are displayed.
wsadmin>$AdminTask help showSpnegoFilter
You can use the following parameter with the showSpnegoFilter command:
Table 4. Command parameters
Option Description <hostname> This parameter is optional. If a long host name is not specified, all of the SPNEGO Web authentication filters are displayed.
The following is an example of the showSpnegoFilter command:
wsadmin> $AdminTask showSpnegoFilter {-hostName ks.mpls.setgetweb.com}
Related tasks
Set Kerberos as the authentication mechanism
Set SPNEGO web authentication filters
Set security with scripting
Related
SPNEGO Web authentication configuration commands