SPNEGO TAI custom configuration attributes

The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) custom configuration attributes control different operational aspects of the SPNEGO TAI. You can specify different attribute values for each appserver.

Best practice: Each of the attributes defined in the following table is specified in the Custom Properties panel for the SPNEGO TAI using the console facility. For convenience, you can optionally place these attributes in a properties file. In this case, the SPNEGO TAI loads the configuration attributes from the file instead of the Custom Properties panel definition. Refer to com.ibm.ws.security.spnego.propertyReloadFile property as defined in SPNEGO TAI JVM configuration attributes.bprac

To assign unique attribute names that identify each possible SPN, an SPN<id> is embedded in the attribute name and used to group the attributes that are associated with each SPN. The SPN<id>s are numbered sequentially for each attribute group.

Table 1.

Attribute Name	Required	Default Value
com.ibm.ws.security.spnego.SPN<id>.hostName	Yes	None
com.ibm.ws.security.spnego.SPN<id>.filterClass	No	See the description that follows.
com.ibm.ws.security.spnego.SPN<id>.filter	No	See the description that follows.
com.ibm.ws.security.spnego.SPN<id>.enableCredDelegate	No	false
com.ibm.ws.security.spnego.SPN<id>.spnegoNotSupportedPage	No	See the description that follows.
com.ibm.ws.security.spnego.SPN<id>.NTLMTokenReceivedPage	No	See the description that follows.
com.ibm.ws.security.spnego.SPN<id>.trimUserName	No	true

com.ibm.ws.security.spnego.SPN<id>.hostName

This attribute is required. It specifies the hostname in the SPN used by the SPNEGO TAI to establish a Kerberos secure context.

The hostname is the long form of hostname. For example, myHostName.austin.ibm.com. The Kerberos SPN is a string of the form HTTP/hostname@realm. The complete SPN is used with the Java Generic Security Service (JGSS) by the SPNEGO provider to obtain the security credential and security context that are used in the authentication process.

com.ibm.ws.security.spnego.SPN<id>.filterClass

This attribute is optional. It specifies the name of the Java class that is used by the SPNEGO TAI to select which HTTP requests are subject to SPNEGO authentication. If no class is specified, the default com.ibm.ws.security.spnego.HTTPHeaderFilter implementation class is used. The Java class that is specified must implement the com.ibm.wsspi.security.spnego.SpnegoFilter interface. A default implementation of this interface is provided. Specify the com.ibm.ws.security.spnego.HTTPHeaderFilter class to use the default implementation. This class uses the selection rules specified with the com.ibm.ws.security.spnego.SPN<id>.filter property.

com.ibm.ws.security.spnego.SPN<id>.filter

This attribute is optional. It defines the filtering criteria that is used by the specified class with the previous attribute. It defines arbitrary criteria that is meaningful to the implementation class used. The com.ibm.ws.security.spnego.HTTPHeaderFilter default implementation class uses this attribute to define a list of selection rules that represent conditions that are matched against the HTTP request headers to determine whether or not the HTTP request is selected for SPNEGO authentication.

Each condition is specified with a key-value pair, separated from each other by a semicolon. The conditions are evaluated from left to right, as they display in the specified attribute. If all conditions are met, the HTTP request is selected for SPNEGO authentication.

The key and value in the key-value pair are separated by an operator that defines which condition is checked. The key identifies an HTTP request header to extract from the request and its value is compared with the value that is specified in the key-value pair according to the operator specification. If the header that is identified by the key is not present in the HTTP request, the condition is treated as not being met. Any of the standard HTTP request headers can be used as the key in the key-value pairs. Refer to the HTTP specification for the list of valid headers. In addition, two keys are defined to extract information from the request, also useful as a selection criterion, which is not available through standard HTTP request headers. The remote-address key is used as a pseudo header to retrieve the remote TCP/IP address of the client application that sent the HTTP request. The request-URL key is used as a pseudo header to retrieve the URL that is used by the client application to make the request. The interceptor uses the result of the getRequestURL operation in the javax.servlet.http.HttpServletRequest interface to construct the Web address. If a query string is present, the result of the getQueryString operation in the same interface is also used. In this case, the complete URL is constructed as follows:

String url = request.getRequestURL() + ‘?’ + request.getQueryString();

The following operators and conditions are defined:

Table 2. Filter conditions and operations

Condition	Operator	Example
Match exactly	= = Arguments are compared as equal.	host=host.my.company.com
Match partially (includes)	%= Arguments are compared with a partial match being valid.	user-agent%=IE 6
Match partially (includes one of many)	^= Arguments are compared with a partial match being valid for one of many arguments specified.	request-url^=webApp1|webApp2|webApp3
Does not match	!= Arguments are compared as not equal.	request-url!=noSPNEGO
Greater than	> Arguments are compared lexogaphically as greater than.	remote-address>192.168.255.130
Less than	< Arguments are compared lexographically as less than.	remote-address<192.168.255.135

com.ibm.ws.security.spnego.SPN<id>.enableCredDelegate

This attribute is optional. It indicates whether or not the Kerberos delegated credentials are stored by the SPNEGO TAI. This attribute enables the capability for an application to retrieve the stored credentials and propagate them to other applications downstream for additional SPNEGO authentication.

This attribute requires use of the advanced Kerberos credential delegation feature and requires development of custom logic by the application developer. The developer must interact directly with the Kerberos Ticket Granting Service (TGS) to obtain a Ticket Granting Ticket (TGT) using the delegated Kerberos credentials on behalf of the end-user who originated the request. The developer must also construct the appropriate Kerberos SPNEGO token and include it in the HTTP request to continue the downstream SPNEGO authentication process, including handling additional SPNEGO challenge-response exchange, if necessary.

com.ibm.ws.security.spnego.SPN<id>.spnegoNotSupportedPage

This attribute is optional. It specifies the Web address of a resource that contains the content that the SPNEGO TAI includes in the HTTP response that the (browser) client application displays if it does not support SPNEGO authentication. It can specify a Web (http://) or a file (file://) resource. If this attribute is not specified or the interceptor cannot find the specified resource, the following content is used:

<html><head><title>SPNEGO authentication is not supported</title></head>
<body>SPNEGO authentication is not supported on this client</body></html>;

com.ibm.ws.security.spnego.SPN<id>.NTLMTokenReceivedPage

This attribute is optional. It specifies the Web address of a resource that contains the content that the SPNEGO TAI includes in the HTTP response that the (browser) client application displays when the SPNEGO token is received by the interceptor when the challenge-response handshake contains a NT LAN Manager (NTLM) token instead of the expected SPNEGO token. It can specify a Web (http://) or a file (file://) resource. If this attribute is not specified or the interceptor cannot find the specified resource, the following content is used:

<html><head><title>An NTLM Token was received.</title></head>
<body>Your browser configuration is correct, but you have not logged into a supported
Microsoft(R) Windows(R) Domain.
<p>Please login to the application using the normal login page.</html>

com.ibm.ws.security.spnego.SPN<id>.trimUserName

This attribute is optional. It specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true. For example,When com.ibm.ws.security.spnego.SPN<id>.trimUserName = true

bobsmith@myKerberosRealm  becomes  bobsmith

When com.ibm.ws.security.spnego.SPN<id>.trimUserName = false

bobsmith@myKerberosRealm  remains  bobsmith@myKerberosRealm

The following commands tasks can be used to operate on these SPNEGO TAI attributes:

• Adding SPNEGO TAI properties using the wsadmin utility

• Deleting SPNEGO TAI properties using the wsadmin utility

• Modifying SPNEGO TAI properties using the wsadmin utility

• Displaying SPNEGO TAI properties using the wsadmin utility

---

 

Related concepts

Single sign-on for HTTP requests using SPNEGO

 

Related tasks

Adding SPNEGO TAI properties using the wsadmin utility
Deleting SPNEGO TAI properties using the wsadmin utility
Modifying SPNEGO TAI properties using the wsadmin utility
Displaying SPNEGO TAI properties using the wsadmin utility
Mapping user Ids from client to server for SPNEGO
Configure SPNEGO TAI in WAS

 

Reference topic