WebSphere Application Server Network Deployment, Version 6.1
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results

Single sign-on for HTTP requests using SPNEGO

WebSphere Application Server provides a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources in WebSphere Application Server.

SPNEGO is a standard specification defined in The Simple and Protected GSS-API Negotiation Mechanism (IETF RFC 2478).

When WebSphere Application Server administrative security is enabled, the SPNEGO TAI is initialized. While processing inbound HTTP requests, the Web authenticator component interacts with the SPNEGO TAI, which is defined and enabled in the security configuration repository. One interceptor is selected and is responsible for authenticating access to the secured resource that is identified in the HTTP request.
Important: The use of TAIs is an optional feature. If no TAI is selected, the authentication process continues normally.

HTTP users log in and authenticate only once at their desktop and are subsequently authenticated (internally) with WebSphere Application Server. The SPNEGO TAI is invisible to the end-user of WebSphere applications. The SPNEGO TAI is only visible to the Web administrator who is responsible for ensuring a proper configuration, capacity, and maintenance of the Web environment.

In addition to WebSphere Application Server security runtime services, some external components are required to completely enable operation of the SPNEGO TAI. The external components include:
The authentication of HTTP requests is triggered by the requestor (the client-side), which generates a SPNEGO token. WebSphere Application Server receives this token and validates trust between the requester and WebSphere Application Server. Specifically, the SPNEGO TAI decodes and retrieves the requester's identity from the SPNEGO token. The identity is used to establish a secure context between the requester and the application server.
Remember: The SPNEGO TAI is a server-side solution in WebSphere Application Server. Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI. The requester’s identity in WebSphere Application Server security registry must be identical to that identity the SPNEGO TAI retrieves. An identical match does occur when Microsoft Windows Active Directory server is the Lightweight Directory Access Protocol (LDAP) server that is used in WebSphere Application Server. A custom login module is available as a plug-in to support custom mapping of the identity from the Active Directory to the WebSphere Application Server security registry. See Mapping Kerberos client principal name to WebSphere user registry ID for SPNEGO for details on using this custom login module.
WebSphere Application Server validates the identity against its security registry and, if the validation is successful, produces a Lightweight Third Party Authentication (LTPA) security token and places and returns a cookie to the requester in the HTTP response. Subsequent HTTP requests from this same requester to access additional secured resources in WebSphere Application Server use the LTPA security token previously created, to avoid repeated login challenges.

The challenge-response handshake process is illustrated in the following graphic:

Figure 1. HTTP request processing, WebSphere Application Server - SPNEGO TAI
The SPNEGO TAI can be enabled for all or for selected WebSphere Application Servers in a WebSphere Application Server cell configuration. Also, the behavior of each SPNEGO TAI instance is controlled by custom configuration properties that are used to identify, for example, the criteria used to filter HTTP requests, such as the host name and security realm name used to construct the Kerberos Service Principal Name (SPN). For more information regarding establishing and setting the SPNEGO TAI custom configuration properties, see the following topics:

The Web administrator has access to the following SPNEGO TAI security components and associated configuration data, as illustrated in the following graphic.

Figure 2. SPNEGO TAI security and configuration elements
The benefits of having WebSphere Application Server use the SPNEGO TAI include:
Using the SPNEGO TAI in your WebSphere Application Server environment requires planning then implementation. See Single sign-on capability with SPNEGO TAI - checklist in planning for SPNEGO TAI. Implementing the use of the SPNEGO TAI is divided into the following areas of responsibility:
End browser user
The end user must configure the Web browser or Microsoft .NET application to issue HTTP requests that are processed by the SPNEGO TAI.
Web administrator
The Web administrator is responsible for configuring the SPNEGO TAI of WebSphere Application Server to respond to HTTP requests of the client.
WebSphere Application Server administrator
The WebSphere Application Server administrator is responsible for configuring WebSphere Application Server and the SPNEGO TAI for optimum installation performance.
See Creating a single sign-on for HTTP requests using the SPNEGO TAI for an explanation of the tasks required to use the SPNEGO TAI and how the responsible party performs these tasks.



Related concepts
Single sign-on
Related tasks
Creating a single sign-on for HTTP requests using the SPNEGO TAI
Mapping Kerberos client principal name to WebSphere user registry ID for SPNEGO
Related reference
Single sign-on capability with SPNEGO TAI - checklist
Using the ktutil command to manage the Kerberos keytab file
Kerberos configuration file
SPNEGO TAI JVM configuration custom properties
SPNEGO TAI custom properties configuration
Related information
The Simple and Protected GSS-API Negotiation Mechanism (IEFT RFC 2478)
Single Sign-on Using Kerberos in Java
Kerberos: The Network Authentication Protocol
SPNEGO TAI configuration requirements
Concept topic    

Terms of Use | Feedback

Last updated: Feb 25, 2009 9:32:38 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_SPNEGO_overview.html