Simple and Protected GSSAPI Negotiation Mechanism 1.0

This feature enables web applications to integrate SPNEGO 1.0 for authenticating users instead of, or in addition to, the configured user registry.

Enabling this feature

To enable the Simple and Protected GSSAPI Negotiation Mechanism 1.0 feature, add the following element declaration into your server.xml file, inside the featureManager element:

<feature>spnego-1.0</feature>

Examples

The following examples provide feature configuration details for the SPNEGO feature. If you want to learn more about single sign-on (SSO) with SPNEGO, see Single sign-on. To enable SPNEGO authentication, you must also configure your browser, Kerberos Key Distribution Center (KDC), and Open Liberty. For more information about how to configure these other items, see Configuring SPNEGO authentication.

Apply SPNEGO authentication to a subset of HTTP requests

You can filter HTTP requests to require SPNEGO authentication for only certain requests, web applications, hosts, or user agents. Specify attributes within the authFilter element in the server.xml file to require SPNEGO authentication for certain requests, as shown in the following example:

<authFilter id="myAuthFilter">
          <host id="myHost" name="example.com" matchType="contains" /> (1)
          <webApp id="myWebApp" name="protectedApp" matchType="equals" /> (1)
</authFilter>

<spnego id="mySpnego"
        includeClientGSSCredentialInSubject="false" (2)
        krb5Config="server1/resources/security/kerberos/krb5.conf" (3)
        krb5Keytab="server1/resources/security/kerberos/krb5.keytab" (3)
        servicePrincipalNames="HTTP/myLibertyMachine.example.com"
        authFilterRef="myAuthFilter" />
</spnego>

This example configures the following points for SPNEGO authentication:

1 SPNEGO authentication is used for any requests received that contain the example.com hostname for resources within the protectedApp web application.
2 The client GSS credentials aren’t added to the user subject upon successful authentication.
3 The Kerberos configuration and keytab files that are used by the server are given specific locations within the server configuration directory instead of within their default locations.

Disable LTPA cookies for SPNEGO

By default, when a client is authenticated with Open Liberty, an LTPA cookie is created and sent to the HTTP servlet. The following example disables LTPA cookies by specifying the disableLtpaCookie attribute with a value of true in the server.xml file:

<spnego id="mySpnego" disableLtpaCookie="true" />

In this example configuration, LTPA cookies are disabled, so a mechanism other than LTPA cookies can be used for authentication. For more information about about LTPA, see Authentication.

Feature configuration elements

Features that this feature enables

Supported Java versions

  • JavaSE-1.8

  • JavaSE-11.0

  • JavaSE-15.0

Developing a feature that depends on this feature

If you are developing a feature that depends on this feature, include the following item in the Subsystem-Content header in your feature manifest file.

com.ibm.websphere.appserver.spnego-1.0; type="osgi.subsystem.feature"