Overview of SPNegoLoginModule (SAP Library)

Overview of SPNegoLoginModule

Definition

The SPNegoLoginModule is a JAAS login module that implements on the J2EE Engine the Simple and Protected GSS API Negotiation Mechanism (SPNego) for Kerberos Authentication. The SPNego is a standard GSS APImechanism, which is used to determine which Kerberos GSS API mechanisms are shared, select one and then establish a security context with it.

Use

The SPNegoLoginModule is used for enabling Kerberos authentication functions on the J2EE Engine. You can add the login module to a login module stack and thereby use Kerberos authentication with or without a fallback authentication mechanism.

Structure

For an overview of the configuration properties for SPNegoLoginModule, see the table below:

Property	Type	Possible Values	Default Values	Description
com.sap.spnego.jgss.name	Required			Kerberos Principal Name of the J2EE Engine.
com.sap.spnego.uid.resolution.attr	Optional	uniquename for resolution mode simple krb5principalname for resolution mode prefixbased		Name of the user attribute used to search for the J2EE Engine service user in the KDC user store. The value of this property depends on the value of the property com.sap.spnego.uid.resolution.mode
com.sap.spnego.uid.resolution.mode	Optional	none simple prefixbased	simple	Specifies the user resolution mode that the UME uses to resolve the J2EE Engine user account from the KPN. For more information, see UME Configuration.
com.sap.spnego.jgss.name.type	Optional	0 1	1	The value 0 specifies that the Kerberos Principal Name (KPN) is a host based principal, for example HTTP@hades.customer.de The value 1 specifies that the KPN is a user name, for example HTTP/hades.customer.de@IT.CUSTOMER.DE.
com.sap.spnego.jgss.mech	Optional		1.2.840.113554.1.2.2	Specifies the GSS API mechanism for the name parameter.
com.sap.spnego.jgss.supp_mechs	Optional		1.2.840.113554.1.2.2 1.2.840.48018.1.2.2	Identifiers of the supported SPNego mechanisms. Currently two mechanisms are supported, both of which are Kerberos.
com.sap.spnego.creds_in_thread	Optional	true false	false	Specifies whether the first credential acquisition takes place in a separate thread. Recommended for Sun platforms.