SPNEGO Web authentication filter commands

SPNEGO Web authentication filter commands

Use wsadmin commands to add, modify, delete, or show SPNEGO Web authentication filters in the security configuration.

Add SPNEGO web authentication filter

Use the addSpnegoFilter command to add a new SPNEGO Web authentication filter in the security configuration.
wsadmin>$AdminTask help addSpnegoFilter

You can use the following parameters with the addSpnegoFilter command:

Table 1. Command parameters

Option Description
<hostName> Required. Use to supply a fully-qualified host name.
<krb5Realm> Optional. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria> Optional. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
<filterClass> Optional. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName> Optional. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate> Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage> Optional. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage> Optional. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.

The following is an example of the addSpnegoFilter command:
wsadmin>$AdminTask addSpnegoFilter { -hostName ks.mpls.setgetweb.com -krb5Realm WSSEC.AUSTIN.IBM.COM}

Modify SPNEGO web authentication filter

Use the modifySpnegoFilter command to modify SPNEGO filter attributes in the security configuration.
wsadmin>$AdminTask help modifySpnegoFilter

You can use the following parameters with the modifySpnegoFilter command:

Table 2. Command parameters

Option Description
<hostName> Required. Use to supply a long host name. The hostname is an identifier, so we can not modify the hostname.
<krb5Realm> Optional. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria> Optional. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
Read about Enable and configuring SPNEGO Web authentication for more information about filter criteria.
<filterClass> Optional. Use to supply the HTTP request filter rules. If the filterClass is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName> Optional. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate> Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage> Optional. Use to supply the URI of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage> Optional. Use to supply the URI of the resource with a response to be used when an NTLM token is received. If this parameter is not specified, the default NTLM token received error page is used.

The following is an example of the modifySpnegoFilter command:
wsadmin>$AdminTask modifySpnegoFilter { -hostName ks.mpls.setgetweb.com -krb5Realm WSSEC.AUSTIN.IBM.COM}

Delete SPNEGO web authentication filter

Use the deleteSpnegoFilter command to remove SPNEGO a Web authentication filter from the security configuration. If a host name is not specified, all of the SPNEGO Web authentication filters are removed.
wsadmin>$AdminTask help deleteSpnegoFilter

You can use the following parameter with the deleteSpnegoFilter command:

Table 3. Command parameters

Option Description
<hostname> Required. If the hostname is not specified, all of the SPNEGO Web authentication filters are deleted.

The following is an example of the deleteSpnegoFilter command:
wsadmin> $AdminTask deleteSpnegoFilter {-hostName ks.mpls.setgetweb.com}

Show SPNEGO web authentication filter

Use the showSpnegoFilter command to display a SPNEGO Web authentication filter in the security configuration. If a host name is not specified, all of the SPNEGO filters are displayed.
wsadmin>$AdminTask help showSpnegoFilter

You can use the following parameter with the showSpnegoFilter command:

Table 4. Command parameters

Option Description
<hostname> This parameter is optional. If a long host name is not specified, all of the SPNEGO Web authentication filters are displayed.

The following is an example of the showSpnegoFilter command:
wsadmin> $AdminTask showSpnegoFilter {-hostName ks.mpls.setgetweb.com}

Related tasks

Set Kerberos as the authentication mechanism
Set SPNEGO web authentication filters
Set security with scripting

Related

SPNEGO Web authentication configuration commands

Option	Description
<hostName>	Required. Use to supply a fully-qualified host name.
<krb5Realm>	Optional. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria>	Optional. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO.
<filterClass>	Optional. Use to supply the HTTP request filter rules. If the filterClass parameter is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName>	Optional. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate>	Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage>	Optional. Use to supply the uniform resource identifier (URI) of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage>	Optional. Use to supply the URI of the resource with a response to be used when an NT LAN manager (NTLM) token is received. If this parameter is not specified, the default NTLM token received error page is used.

Option	Description
<hostName>	Required. Use to supply a long host name. The hostname is an identifier, so we can not modify the hostname.
<krb5Realm>	Optional. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.
<filterCriteria>	Optional. Use to supply the HTTP request filter rules. If the filterCriteria parameter is not specified, all of the HTTP requests are authenticated by SPNEGO. Read about Enable and configuring SPNEGO Web authentication for more information about filter criteria.
<filterClass>	Optional. Use to supply the HTTP request filter rules. If the filterClass is not specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<trimUserName>	Optional. Use to indicate whether the Kerberos realm name is to be removed from the Kerberos principal name.
<enabledGssCredDelegate>	Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<spnegoNotSupportedPage>	Optional. Use to supply the URI of the resource with a response to be used when SPNEGO is not supported. If this parameter is not specified, the default SPNEGO not supported error page is used.
<ntlmTokenReceivedPage>	Optional. Use to supply the URI of the resource with a response to be used when an NTLM token is received. If this parameter is not specified, the default NTLM token received error page is used.