You can use a system programming interface to customize the behavior
of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association
interceptor (TAI) by specifying whether or not a particular HTTP request should
be intercepted.
Before you begin
Before you begin, you need to understand the deployment of the SPNEGO
TAI in your installation.
Deprecated feature: In WebSphere® Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple
and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate
and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO Web authentication has
taken its place to provide dynamic reload of the SPNEGO filters and to enable
fallback to the application login method.
depfeat
About this task
Verify the configuration of your SPNEGO TAI. The deployment of the
SPNEGO TAI can vary from a single
WebSphere Application Server system
on which a single application is running to a large multinode
WebSphere Application Server, Network Deployment (ND) cell, with dozens of application servers, hosting
many applications. Every SPNEGO TAI is installed at the cell level. You must
be aware of your particular SPNEGO TAI configuration.
The default behavior
of the SPNEGO TAI is to not intercept HTTP requests. This default behavior
ensures that the SPNEGO TAI can be installed into an existing cell, configured
for a single application server and not change any other application servers
in the cell. Other WebSphere Application Servers can run exactly as
before within a given configuration.
Then decide whether or not to use
the sample SPN<id>.filter class and determine the exact filter properties
to use.
Note: The default behavior of the SPNEGO TAI is to use the com.ibm.ws.security.spnego.SPN<id>.filter
class and intercept all requests.
If the default behavior is not appropriate,
you can use a customer provided class, or extend or modify the sample class
as required. The system programmer interface, com.ibm.ws.security.spnego.SpnegoFilter
allows you to implement a custom filter to determine whether or not to intercept
a particular HTTP request. With the default implementation, you can set filter
rules for coarse as well as fine-grained criteria in selecting which HTTP
requests to intercept.