SPNEGO web authentication filter commands

SPNEGO web authentication filter commands

Use wsadmin commands to add, modify, delete, or show SPNEGO Web authentication filters in the security configuration.

Add SPNEGO web authentication filter

Use the addSpnegoFilter command to add a new SPNEGO web authentication filter in the security configuration.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help addSpnegoFilter
:

Option Description
<hostName> Required. Use to supply a fully-qualified host name.
<krb5Realm> This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria> This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
<filterClass> This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName> This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate> This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage> This parameter is not required. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage> This parameter is not required. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.

The following is an example of the addSpnegoFilter command:
wsadmin>$AdminTask addSpnegoFilter {
  -hostName ks.austin.ibm.com    -krb5Realm WSSEC.AUSTIN.IBM.COM}
Modify SPNEGO web authentication filter

Use the modifySpnegoFilter command to modify SPNEGO filter attributes in the security configuration.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help modifySpnegoFilter

Option Description
<hostName> Required. Use to supply a long host name. The hostname is an identifier, so we can not modify the hostname.
<krb5Realm> This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria> This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
For more information about filter criteria, read the topic Enable and configuring SPNEGO web authentication using the administrative console.
<filterClass> This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName> This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate> This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage> This parameter is not required. Use to supply the URI of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage> This parameter is not required. Use to supply the URI of the resource with a response to be used when an NTLM token is received. If this parameter is not specified, the default NTLM token received error page is used.

The following is an example of the modifySpnegoFilter command:
wsadmin>$AdminTask modifySpnegoFilter {
  -hostName ks.austin.ibm.com    -krb5Realm WSSEC.AUSTIN.IBM.COM}
Delete SPNEGO web authentication filter

Use the deleteSpnegoFilter command to remove SPNEGO a web authentication filter from the security configuration. If a host name is not specified, all of the SPNEGO web authentication filters are removed.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help deleteSpnegoFilter

Option Description
host Required. If the hostname is not specified, all of the SPNEGO web authentication filters are deleted.

The following is an example of the deleteSpnegoFilter command:
wsadmin> $AdminTask deleteSpnegoFilter {-hostName ks.austin.ibm.com}

Show SPNEGO web authentication filter

Use the showSpnegoFilter command to display a SPNEGO web authentication filter in the security configuration. If a host name is not specified, all of the SPNEGO filters are displayed.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help showSpnegoFilter

Option Description
host Optional. If a long host name is not specified, all of the SPNEGO web authentication filters are displayed.

The following is an example of the showSpnegoFilter command:
wsadmin> $AdminTask showSpnegoFilter {-hostName ks.austin.ibm.com}

Related tasks

Configure security
Enable and configure SPNEGO web authentication using the administrative console
Configure Kerberos as the authentication mechanism using the administrative console
Add SPNEGO web authentication filters using the administrative console

SPNEGO web authentication configuration commands

Option	Description
<hostName>	Required. Use to supply a fully-qualified host name.
<krb5Realm>	This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria>	This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
<filterClass>	This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName>	This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate>	This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage>	This parameter is not required. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage>	This parameter is not required. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.

Option	Description
<hostName>	Required. Use to supply a long host name. The hostname is an identifier, so we can not modify the hostname.
<krb5Realm>	This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria>	This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO. For more information about filter criteria, read the topic Enable and configuring SPNEGO web authentication using the administrative console.
<filterClass>	This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName>	This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate>	This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage>	This parameter is not required. Use to supply the URI of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage>	This parameter is not required. Use to supply the URI of the resource with a response to be used when an NTLM token is received. If this parameter is not specified, the default NTLM token received error page is used.