How To
Summary
Traditional WebSphere includes alternate SPNEGO filter that supports IP address ranges.
Objective
This article shows how to configure alternate SPNEGO filter in traditional WebSphere that supports IP ranges.
Environment
To configure SPNEGO filter, basic SPNEGO Single Sign On configuration needs to be in place.
Steps
1. By specifying the filter class
1. In SPNEGO web authentication panel, go to "SPNEGO filters" section. Select existing filter or create a new one.
2. In the filter panel, specify "Filter class" field with "com.ibm.ws.security.spnego.HTTPHeaderFilter2". Specify "Filter criteria" with a set of conditions separated by semicolon ;.
In the following screenshot, following 3 conditions are set.
- remote-address==9.42.29.[220-229] (includes boundaries such as ip address 9.42.29.220 and 9.42.29.229)
- request-url!=noSPNEGO
- user-agent%=Firefox
These conditions are evaluated with AND. If one condition fails, the filter returns false.
If filter returns true, SPNEGO Single SignOn logic is invoked for the request.
If filter returns false, SPNEGO Single SignOn does not happen for the request.
2. By specifying the security custom property
The default filter ("com.ibm.ws.security.spnego.HTTPHeaderFilter") can be changed to "com.ibm.ws.security.spnego.HTTPHeaderFilter2" by setting following security custom property:
Property: com.ibm.ws.security.spnego.useHttpFilterClass2
Value: true (Default : false)
You can configure the security custom property by going to the administrative console Click Security > Global security > Custom properties, then click New to add a new custom property and its associated value.
Additional Information
The filter approach
A filter specifies a set of conditions which are met or not met. These conditions are logically ANDed together so that if one condition fails, the entire filter fails. Conditions are separated by the ; operator. Each condition specifies three elements:
- the operator (==, !=, %=, ^=, <, >)
- the input required element (generally an HTTP header name, but request-url & remote-address are special)
- the comparison value (generally a string, but IP address ranges are allowed)
Examples:
remote-address==192.168.*.*
remote-address==192.168.[7-13].*
request-url!=noSPNEGO;remote-address==192.168.*.*
user-agent%=IE6
Conditions:
- the operator (==, !=, %=, ^=, <, >)
- the input required element (generally an HTTP header name, but request-url & remote-address are special)
- the comparison value (generally a string, but IP address ranges are allowed)
Examples:
remote-address==192.168.*.*
remote-address==192.168.[7-13].*
request-url!=noSPNEGO;remote-address==192.168.*.*
user-agent%=IE6
Conditions:
The possible conditions are:
%= ContainsCondition - the input contains the comparison value
> GreaterCondition - the input is greater than the comparison value
< LessCondition - the input is less than the comparison value
!= NotContainsCondition - the input does not contain the comparison value
^= OrCondition - the input contains one of the comparison values
== EqualCondition - the input is equal to the comparison value
%= ContainsCondition - the input contains the comparison value
> GreaterCondition - the input is greater than the comparison value
< LessCondition - the input is less than the comparison value
!= NotContainsCondition - the input does not contain the comparison value
^= OrCondition - the input contains one of the comparison values
== EqualCondition - the input is equal to the comparison value
General Information about SPNEGO filter
For general information about SPNEGO filter, please refer to following link:
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Traditional WebSphere","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
14 November 2019
UID
ibm11105311