Before you begin
You need to know how to use the
WebSphere Application Server administrative
console to manage the security configuration and have the proper authority
to modify the security configuration of the application server.
Deprecated feature: In WebSphere Application Server Version 6.1, a
trust association interceptor (TAI) that uses the Simple and Protected
GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate
HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function
is now deprecated. SPNEGO web authentication has taken its place to
provide dynamic reload of the SPNEGO filters and to enable fallback
to the application login method.
depfeat
About this task
Verify the configuration of your SPNEGO TAI. The deployment
of the SPNEGO TAI can vary from a single
WebSphere Application Server system on which
a single application is running to a large multinode
WebSphere Application Server, Network Deployment (ND) cell, with
dozens of application servers, hosting many applications. Every SPNEGO
TAI is installed at the cell level. You must be aware of your particular
SPNEGO TAI configuration.
The default behavior of the SPNEGO TAI
is to not intercept HTTP requests. This default behavior ensures that
the SPNEGO TAI can be installed into an existing cell, configured
for a single application server and not change any other application
servers in the cell. Other WebSphere Application Servers can run exactly
as before within a given configuration.
Decide whether or not
to use the sample SPN<id>.filterClass and determine the exact
filter properties to use.
Note: The default behavior of the SPNEGO
TAI is to use the com.ibm.ws.security.spnego.SPN<id>.filterClass and
intercept all requests.
If the default behavior is not appropriate,
you can use a customer provided class, or extend or modify the sample
class as required. The system programmer interface,
com.ibm.ws.security.spnego.SpnegoFilter allows
you to implement a custom filter to determine whether or not to intercept
a particular HTTP request. With the default implementation, you can
set filter rules for coarse as well as fine-grained criteria in selecting
which HTTP requests to intercept.
Complete the following
steps to enable the operation of the SPNEGO TAI with your selected
filtering and with the JVM required property.