Reference Documentation

Configuring web.xml

Servlet Filter init params. See example web.xml in Tomcat Install Guide.

Property Req/Opt Description
spnego.krb5.conf Required
  • Valid value: Path to krb5.conf file (relative or absolute path)
  • Take a look at the pre-flight documentation for guidance on how to create this file.
  • See the Tomcat Install Guide for an example configuration.
  • spnego.login.conf Required
  • Valid value: Path to login.conf file (relative or absolute path)
  • Take a look at the pre-flight documentation for guidance on how to create this file.
  • See the Tomcat Instal Guide for an example configuration.
  • spnego.login.server.module Required
  • Valid value: value specified in login.conf file for server
  • Take a look at the pre-flight documentation for guidance on how to create this file.
  • See the Tomcat Instal Guide for an example configuration.
  • spnego.login.client.module Required
  • Valid value: value specified in login.conf file for client
  • Take a look at the pre-flight documentation for guidance on how to create this file.
  • See the Tomcat Instal Guide for an example configuration.
  • spnego.preauth.username Required
  • Valid value: Windows NT Domain Account.
  • Take a look at the pre-flight documentation for guidance on how to create this account.
  • spnego.preauth.password Required
  • Valid value: Pre-auth Domain Account Password.
  • Should set password to never expire.
  • spnego.allow.basic Required
  • Valid values are true or false.
  • Offer HTTP Basic Authentication in addition to Kerberos Authentication.
  • Consider this option if an HTTP client cannot negotiate SPNEGO token(s).
  • Set this value to false if you only allow Kerberos Authentication.
  • spnego.allow.unsecure.basic Required
  • Valid values are true or false.
  • With respect to Basic Authentication, specify if HTTPS is required. If Basic Authentication is not allowed, this operation is a no-op.
  • Set this value to false if you do not want to offer Basic Authentication for non-SSL connections.
  • spnego.allow.localhost Optional
  • Valid values are true or false.
  • Default is false.
  • Skip authentication if requests are coming from localhost.
  • Requests that originate from localhost will not require authentication.
  • Set this value to true if you run a local instance of the server and you want to avoid having to register an SPN for your workstation.
  • Set this value to false if requests from localhost should be rejected.
  • spnego.prompt.ntlm Required
  • Valid values are true or false.
  • The SPNEGO Filter does not support NTLM.
  • Set this value to true if clients who wish to authenticate via NTLM should be offered Basic Authentication (assuming spnego.allow.basic=true).
  • Set this vaue to false if NTLM Authentication should be rejected.
  • spnego.allow.delegation Optional
  • Valid values are true or false.
  • Default is false
  • IE and AD allow delegation by default
  • See DelegateServletRequest docs for more info
  • Set this value to true to enable the filter for delegation
  • spnego.logger.level Optional
  • Valid values are 1 thru 7.
  • Default specified by container
  • 1 = FINEST; 7 = SEVERE
  • Set value to 1 for debugging/verbose logging.
  • A Servlet Filter resource mapping can either be defined at the Container level or at the web application level. The example in the Tomcat Install Guide has the mapping defined at the Container level.

    Here's an example mapping for .jsp files:

    <filter-mapping>
        <filter-name>SpnegoHttpFilter</filter-name>
        <url-pattern>*.jsp</url-pattern>
    </filter-mapping>

    And here's an example mapping for .cfm files:

    <filter-mapping>
        <filter-name>SpnegoHttpFilter</filter-name>
        <url-pattern>*.cfm</url-pattern>
    </filter-mapping>

    The location of the filter-mapping in the web.xml is important. The SPNEGO Filter mapping must be defined before any other mapping. It must be defined first/executed first.

    Links:
    pre-flight checklist
    install guide - tomcat
    install guide - jboss
    install guide - glassfish
    reference docs
    api docs
    download

    Troubleshooting:
    HelloKDC.java
    hello_spnego.jsp
    HelloKeytab.java
    hello_delegate.jsp
    SpnegoHelloClient.java
    ExampleSpnegoAuthenticatorValve.java

    Examples:
    create keytab for client
    create keytab for app server
    credential delegation
    protected SOAP Web Service
    tomcat authenticator valve
    jboss authenticator valve

    Licensing:
    GNU LGPL


    © 2009 Darwin V. Felix. All rights reserved.