SPNEGO web authentication filter commands

WAS v8.5 > Reference > Commands (wsadmin scripting)
SPNEGO web authentication filter commands

Use wsadmin commands to add, modify, delete, or show Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Web authentication filters in the security configuration.

Add SPNEGO web authentication filter

Use the addSpnegoFilter command to add a new SPNEGO web authentication filter in the security configuration.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help addSpnegoFilter
:
Command parameters. We can use the following parameters with the addSpnegoFilter command

Option Description
<hostName> This parameter is required. Use to supply a fully-qualified host name.
<krb5Realm> This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria> This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
<filterClass> This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName> This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate> This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. Default is true.
<spnegoNotSupportedPage> This parameter is not required. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage> This parameter is not required. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.

The following is an example of the addSpnegoFilter command:
wsadmin>$AdminTask addSpnegoFilter {
  -hostName ks.austin.ibm.com 
  -krb5Realm WSSEC.AUSTIN.IBM.COM}
Modify SPNEGO web authentication filter

Use the modifySpnegoFilter command to modify SPNEGO filter attributes in the security configuration.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help modifySpnegoFilter

Command parameters. We can use the following parameters with the modifySpnegoFilter command:

Option Description
<hostName> This parameter is required. Use to supply a long host name. The hostname is an identifier, so we can not modify the hostname.
<krb5Realm> This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria> This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
For more information about filter criteria, read the topic Enabling and configuring SPNEGO web authentication using the dmgr console.
<filterClass> This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName> This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate> This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. Default is true.
<spnegoNotSupportedPage> This parameter is not required. Use to supply the URI of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage> This parameter is not required. Use to supply the URI of the resource with a response to be used when an NTLM token is received. If this parameter is not specified, the default NTLM token received error page is used.

The following is an example of the modifySpnegoFilter command:
wsadmin>$AdminTask modifySpnegoFilter {
  -hostName ks.austin.ibm.com 
  -krb5Realm WSSEC.AUSTIN.IBM.COM}
Delete SPNEGO web authentication filter

Use the deleteSpnegoFilter command to remove SPNEGO a web authentication filter from the security configuration. If a host name is not specified, all of the SPNEGO web authentication filters are removed.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help deleteSpnegoFilter

Command parameters. We can use the following parameter with the deleteSpnegoFilter command:

Option Description
host This parameter is required. If the hostname is not specified, all of the SPNEGO web authentication filters are deleted.

The following is an example of the deleteSpnegoFilter command:
wsadmin> $AdminTask deleteSpnegoFilter {-hostName ks.austin.ibm.com}

Show SPNEGO web authentication filter

Use the showSpnegoFilter command to display a SPNEGO web authentication filter in the security configuration. If a host name is not specified, all of the SPNEGO filters are displayed.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help showSpnegoFilter

Command parameters. We can use the following parameter with the showSpnegoFilter command:

Option Description
host This parameter is optional. If a long host name is not specified, all of the SPNEGO web authentication filters are displayed.

The following is an example of the showSpnegoFilter command:
wsadmin> $AdminTask showSpnegoFilter {-hostName ks.austin.ibm.com}

Related

Configure security with scripting
Enable and configuring SPNEGO web authentication
Configure Kerberos as the authentication mechanism
Add or modifying SPNEGO web authentication filters

Reference:

SPNEGO web authentication configuration commands

+
Search Tips | Advanced Search

Option	Description
<hostName>	This parameter is required. Use to supply a fully-qualified host name.
<krb5Realm>	This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria>	This parameter is not required. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
<filterClass>	This parameter is not required. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName>	This parameter is not required. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate>	This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. Default is true.
<spnegoNotSupportedPage>	This parameter is not required. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage>	This parameter is not required. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.