Spnego Authentication (spnego)
Controls the operation of the Simple and Protected GSS-API Negotiation Mechanism.
| Name | Type | Default | Description |
|---|---|---|---|
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
canonicalHostName | boolean | true | Controls whether you want to use the canonical host name. |
disableFailOverToAppAuthType | boolean | true | Specifies that SPNEGO is used to log in to WebSphere Application Server first. However, if the login fails, then the application authentication mechanism is used to log in to the WebSphere Application Server. |
disableLtpaCookie | boolean | false | Do not create an LTPA cookie during processing of the SPNEGO token. No LTPA cookie is added to the HTTP response. |
includeClientGSSCredentialInSubject | boolean | true | Specifies whether the client delegation credentials should be stored in a client subject. |
includeCustomCacheKeyInSubject | boolean | true | Specifies whether the custom cache key is stored in a client subject and LTPA cookie. If this property is set to true and the cache key for a user is not found in the authentication cache, the user is required to log in again. Set this property to false when you use the SPNEGO feature to allow the security subject to be constructed from the LTPA cookie and the user registry. If the security subject is reconstructed from the LTPA cookie and the user registry, no Kerberos or GSS credentials are included in the subject. If more than one server uses your LTPA cookie, consider setting this property to false. |
krb5Config | string | Deprecated: use configFile attribute on the <kerberos> element instead. Specifies the fully qualified Kerberos configuration path and name. Standard variable substitutions, such as ${server.config.dir}, can be used when specifying the directory path. | |
krb5Keytab | string | Deprecated: use keytab attribute on the <kerberos> element instead. Specifies the fully qualified Kerberos keytab path and name. Standard variable substitutions, such as ${server.config.dir}, can be used when specifying the directory path. The Kerberos keytab file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk. | |
ntlmTokenReceivedErrorPageURL | string | Specifies the URL of a resource that contains the content which SPNEGO includes in the HTTP response, which is displayed by the browser client application. | |
servicePrincipalNames | string | Specifies a list of Kerberos service principal names separated by a comma. | |
spnegoAuthenticationErrorPageURL | string | Specifies the URL of a resource that contains the content that SPNEGO includes in the HTTP response. The HTTP response is displayed by the browser client application. | |
spnegoNotSupportedErrorPageURL | string | Specifies the URL of a resource that contains the content which SPNEGO includes in the HTTP response that is displayed by the browser client application if it does not support SPNEGO authentication. | |
trimKerberosRealmNameFromPrincipal | boolean | true | Specifies whether SPNEGO removes the suffix of the Kerberos principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. |
authFilter
Specifies the authentication filter reference.
authFilter > cookie
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > host
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > remoteAddress
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
id | string | A unique configuration ID. | |
ip | string | Specifies the remote host TCP/IP address. | |
matchType |
| contains | Specifies the match type. |
authFilter > requestHeader
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. | |
value | string | The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains". |
authFilter > requestUrl
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
urlPattern | string | Specifies the URL pattern. The * character is not supported to be used as a wildcard. |
authFilter > userAgent
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
agent | string | Specifies the browser's user agent to help identify which browser is being used. | |
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
authFilter > webApp
A unique configuration ID.
| Name | Type | Default | Description |
|---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
