Reference Documentation
Configuring web.xml
Servlet Filter init params. See example web.xml in Tomcat Install Guide.
| Property |
Req/Opt |
Description |
| spnego.krb5.conf |
Required |
Valid value: Path to krb5.conf file (relative or absolute path)
Take a look at the pre-flight documentation for guidance on how to create this file.
See the Tomcat Install Guide for an example configuration.
|
| spnego.login.conf |
Required |
Valid value: Path to login.conf file (relative or absolute path)
Take a look at the pre-flight documentation for guidance on how to create this file.
See the Tomcat Instal Guide for an example configuration.
|
| spnego.login.server.module |
Required |
Valid value: value specified in login.conf file for server
Take a look at the pre-flight documentation for guidance on how to create this file.
See the Tomcat Instal Guide for an example configuration.
|
| spnego.login.client.module |
Required |
Valid value: value specified in login.conf file for client
Take a look at the pre-flight documentation for guidance on how to create this file.
See the Tomcat Instal Guide for an example configuration.
|
| spnego.preauth.username |
Required |
Valid value: Windows NT Domain Account.
Take a look at the pre-flight documentation for guidance on how to create this account.
|
| spnego.preauth.password |
Required |
Valid value: Pre-auth Domain Account Password.
Should set password to never expire.
|
| spnego.allow.basic |
Required |
Valid values are true or false.
Offer HTTP Basic Authentication
in addition to Kerberos Authentication.
Consider this option if an HTTP client cannot negotiate SPNEGO token(s).
Set this value to false if you only allow Kerberos Authentication.
|
| spnego.allow.unsecure.basic |
Required |
Valid values are true or false.
With respect to Basic Authentication, specify if HTTPS
is required. If Basic Authentication is not allowed, this operation is a no-op.
Set this value to false if you do not want to offer Basic Authentication for non-SSL connections.
|
| spnego.allow.localhost |
Optional |
Valid values are true or false.
Default is false.
Skip authentication if requests are coming from localhost.
Requests that originate from localhost will not require authentication.
Set this value to true if you run a local instance of the server
and you want to avoid having to register an SPN for your workstation.
Set this value to false if requests from localhost should be rejected.
|
| spnego.prompt.ntlm |
Required |
Valid values are true or false.
The SPNEGO Filter does not support NTLM.
Set this value to true if clients who wish to authenticate
via NTLM should be offered Basic Authentication (assuming spnego.allow.basic=true).
Set this vaue to false if NTLM Authentication should be rejected.
|
| spnego.allow.delegation |
Optional |
Valid values are true or false.
Default is false
IE and AD allow delegation by default
See DelegateServletRequest docs for more info
Set this value to true to enable the filter for delegation
|
| spnego.logger.level |
Optional |
Valid values are 1 thru 7.
Default specified by container
1 = FINEST; 7 = SEVERE
Set value to 1 for debugging/verbose logging.
|
A Servlet Filter resource mapping can either be defined at the Container level or at
the web application level. The example in the Tomcat Install Guide
has the mapping defined at the Container level.
Here's an example mapping for .jsp files:
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
And here's an example mapping for .cfm files:
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>*.cfm</url-pattern>
</filter-mapping>
The location of the filter-mapping in the web.xml is important. The SPNEGO Filter
mapping must be defined before any other mapping. It must be defined first/executed first.
Links:
pre-flight checklist
install guide - tomcat
install guide - jboss
install guide - glassfish
reference docs
api docs
download
Troubleshooting:
HelloKDC.java
hello_spnego.jsp
HelloKeytab.java
hello_delegate.jsp
SpnegoHelloClient.java
ExampleSpnegoAuthenticatorValve.java
Examples:
create keytab for client
create keytab for app server
credential delegation
protected SOAP Web Service
tomcat authenticator valve
jboss authenticator valve
Licensing:
GNU LGPL
© 2009 Darwin V. Felix. All rights reserved.
|