Configuring JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WebSphere Application Server (deprecated)
Performing this task helps you, as web administrator, to ensure that WebSphere® Application Server is configured to enable the operation of the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) trust association interceptor (TAI) with the required Java™ virtual machine (JVM) property and with the appropriate filtering of HTTP requests.
Before you begin
Deprecated feature: In WebSphere Application Server Version 6.1, a trust association
interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to
securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function was deprecated. SPNEGO web
authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable
fallback to the application login method.
About this task
The default behavior of the SPNEGO TAI is to not intercept HTTP requests. This default behavior ensures that the SPNEGO TAI can be installed into an existing cell, configured for a single application server and not change any other application servers in the cell. Other WebSphere Application Servers can run exactly as before within a given configuration.
Decide whether or not
to use the sample SPN<id>.filterClass and determine the exact filter
properties to use.
Note: The default behavior of the SPNEGO TAI is
to use the
If the default behavior is not appropriate,
you can use a customer provided class, or extend or modify the sample
class as required. The system programmer interface, com.ibm.ws.security.spnego.SPN<id>.filterClass
and
intercept all requests. com.ibm.ws.security.spnego.SpnegoFilter
allows
you to implement a custom filter to determine whether or not to intercept
a particular HTTP request. With the default implementation, you can
set filter rules for coarse as well as fine-grained criteria in selecting
which HTTP requests to intercept.Note: For an alternative to
the following steps for enabling the SPNEGO TAI, you can use scripting
to perform the operation. See Enabling the SPNEGO TAI as JVM custom property using scripting (deprecated) for the details.
Procedure
- Log on to WebSphere Application Server administrative console.
- Click Servers > Application servers.
- Select the appropriate server. Under Server Infrastructure, expand Java and process management > Process Definition.
- Click Java virtual
machine. Under Additional Properties, click Custom Properties.
Create a new custom property, if required, by clicking New,
then code
com.ibm.ws.security.spnego.isEnabled
in the name field andtrue
in the value field. - Click Apply > OK to save the configuration
- Identify when the SPNEGO TAI intercepts a given request.
A set of filter properties is provided, but you must determine what
is appropriate and modify the
com.ibm.ws.security.spnego.SPN<id>.filterClass
accordingly.