You can enable and configure the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for the application server by using the administrative console
You must have a Kerberos keytab file (krb5.keytab) that contains the Kerberos service principal name, HTTP/<fully qualified hostname>@KerberosReam, for any WebSphere application server that processes an HTTP request.
The com.ibm.ws.security.spnego.HTTPHeaderFilter default implementation class uses this property to define a list of selection rules that represent conditions that are matched against the HTTP request headers to determine whether or not the HTTP request is selected for SPNEGO authentication.
Each condition is specified with a key-value pair, separated from each other by a semicolon. The conditions are evaluated from left to right, as they display in the specified property. If all conditions are met, the HTTP request is selected for SPNEGO authentication.
The key and value in the key-value pair are separated by an operator that defines which condition is checked. The key identifies an HTTP request header to extract from the request and its value is compared with the value that is specified in the key-value pair according to the operator specification. If the header that is identified by the key is not present in the HTTP request, the condition is treated as not being met.
String url = request.getRequestURL() + ‘?' + request.getQueryString();
Condition | Operator | Example |
---|---|---|
Match exactly | == Arguments are compared as equal. |
host==host.my.company.com |
Match partially (includes) | %= Arguments are compared with a partial match being valid. |
user-agent%=IE 6 |
Match partially (includes one of many) | ^= Arguments are compared with a partial match being valid for one of many arguments specified. |
request-url^=webApp1|webApp2|webApp3 |
Does not match | != Arguments are compared as not equal. |
request-url!=noSPNEGO |
Greater than | > Arguments are compared lexogaphically as greater than. |
remote-address>192.168.255.130 |
Less than | < Arguments are compared lexographically as less than. |
remote-address<192.168.255.135 |
<html><head><title>SPNEGO authentication is not supported</title></head>
<body>SPNEGO authentication is not supported on this client</body></html>;
<html><head><title>An NTLM Token was received.</title></head>
<body>Your browser configuration is correct, but you have not logged into a supported
Microsoft(R) Windows(R) Domain.
<p>Please login to the application using the normal login page.</html>
SPNEGO is now enabled as the web authenticator for the application server.