Java virtual machine (JVM) custom properties control the operation of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI).
In WebSphere® Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.
depfeatCustom Property Name | Required | Value Type | Default Value | Recommended Value |
---|---|---|---|---|
com.ibm.ws.security.spnego.isEnabled | No | Boolean | False | True |
com.ibm.ws.security.spnego.propertyReloadFile | No | String | None | For WindowsC:\temp\TAI.propsFor UNIX /tmp/TestTAI.Properties |
com.ibm.ws.security.spnego.propertyReloadTimeout | No | Integer | None | 120 |
com.ibm.ws.security.spnego.useHttpFilterClass2 | No | Boolean | False | True |
A sample of this reload file follows:
########################################################## # Template properties files for SPNEGO TAI # # Where possible defaults have been provided. # ########################################################## #--------------------------------------------------------- # Hostname #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.HostName=wsecurity.austin.ibm.com #--------------------------------------------------------- # (Optional) SpnegoNotSupportedPage #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.SpnegoNotSupportedPage= #--------------------------------------------------------- # (Optional) NTLMTokenReceivedPage #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.NTLMTokenReceivedPage= #--------------------------------------------------------- # (Optional) FilterClass #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.FilterClass=com.ibm.ws.spnego.HTTPHeaderFilter #--------------------------------------------------------- # (Optional) Filter #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.Filter=
When this property is set to true the following filter specification works properly.
user-agent!=IBM Web Services Explorer;request-url!=noSPNEGO
If this property is set to false, or is not specified, the preceding filter does not work properly.
Custom Property Name | Required | Value Type | Default Value | Recommended Value |
---|---|---|---|---|
com.ibm.security.jgss.debug | No | String | None | "off" or "all" |
com.ibm.security.krb5.Krb5Debug | No | String | None | "off" or "all" |
java.security.properties | No | String | None | |
javax.security.auth.useSubjectCredsOnly | Yes | Boolean | True | False |