Simple and Protected GSSAPI Negotiation Mechanism1.0
This feature enables web applications to integrate SPNEGO 1.0 for authenticating users instead of, or in addition to, the configured user registry.
Enabling this feature
To enable the Simple and Protected GSSAPI Negotiation Mechanism 1.0 feature, add the following element declaration into your server.xml
file, inside the featureManager
element:
<feature>spnego-1.0</feature>
Examples
The following examples provide feature configuration details for the SPNEGO feature. To enable SPNEGO authentication, you must also configure your browser, Kerberos Key Distribution Center (KDC), and Open Liberty. For more information, see Configuring SPNEGO authentication.
Apply SPNEGO authentication to a subset of HTTP requests
You can filter HTTP requests to require SPNEGO authentication for certain requests, web applications, hosts, or user agents. Specify attributes within the authFilter element in the server.xml
file to require SPNEGO authentication for certain requests, as shown in the following example:
<authFilter id="myAuthFilter">
<host id="myHost" name="example.com" matchType="contains" />
<webApp id="myWebApp" name="protectedApp" matchType="equals" />
</authFilter>
<spnego id="mySpnego"
includeClientGSSCredentialInSubject="false"
krb5Config="server1/resources/security/kerberos/krb5.conf"
krb5Keytab="server1/resources/security/kerberos/krb5.keytab"
servicePrincipalNames="HTTP/myLibertyMachine.example.com"
authFilterRef="myAuthFilter" />
</spnego>
This example configures the following points for SPNEGO authentication:
The
authFilter
element specifies that SPNEGO authentication is used for any requests received that contain theexample.com
hostname for resources within theprotectedApp
web application.The
includeClientGSSCredentialInSubject
attribute is set to a value offalse
to indicate that client GSS credentials aren’t added to the user subject upon successful authentication.The
krb5Config
andkrb5Keytab
attributes provide specific locations for the Kerberos configuration and keytab files within the server configuration directory instead of within their default locations.
Disable LTPA cookies for SPNEGO
By default, when a client is authenticated with Open Liberty, an LTPA cookie is created and sent to the HTTP servlet. The following example disables LTPA cookies by specifying the disableLtpaCookie
attribute with a value of true
in the server.xml
file:
<spnego id="mySpnego" disableLtpaCookie="true" />
In this example configuration, LTPA cookies are disabled so that a mechanism other than LTPA cookies can be used for authentication. For more information about about LTPA, see Single sign-on.