WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authentications > Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)Filtering HTTP requests for SPNEGO TAI (deprecated)
We can use a system programming interface to customize the behavior of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) by specifying whether or not a particular HTTP request should be intercepted.
Before beginning, you need to understand the deployment of the SPNEGO TAI in your installation.
Deprecated feature:
In WebSphere Application Server v6.1, a TAI that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat
Verify the configuration of your SPNEGO TAI. The deployment of the SPNEGO TAI can vary from a single WAS system on which a single application is running to a large multinode WAS, Network Deployment (ND) cell, with dozens of application servers, hosting many applications. Every SPNEGO TAI is installed at the cell level. You must be aware of your particular SPNEGO TAI configuration.
The default behavior of the SPNEGO TAI is to not intercept HTTP requests. This default behavior ensures the SPNEGO TAI can be installed into an existing cell, configured for a single application server and not change any other application servers in the cell. Other WASs can run exactly as before within a given configuration.
Then decide whether or not to use the sample SPN<id>.filter class and determine the exact filter properties to use.
The default behavior of the SPNEGO TAI is to use the com.ibm.ws.security.spnego.SPN<id>.filter class and intercept all requests. If the default behavior is not appropriate, we can use a customer provided class, or extend or modify the sample class as required. The system programmer interface, com.ibm.ws.security.spnego.SpnegoFilter allows you to implement a custom filter to determine whether or not to intercept a particular HTTP request. With the default implementation, we can set filter rules for coarse as well as fine-grained criteria in selecting which HTTP requests to intercept.
- Set the com.ibm.ws.security.spnego.isEnabled JVM custom property to true to enable the SPNEGO TAI on any JVM.
- Identify when the SPNEGO TAI intercepts a given request. A set of filter properties is provided, but you must determine what is appropriate and modify the com.ibm.ws.security.spnego.SPN<id>.filter class accordingly.
Results
Your SPNEGO TAI is set to filter HTTP requests when it is operating.
Related concepts:
Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Related
Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)