SPENGO config in Tomcat's web.xml

Fri, 08 Jun 2018 09:27:02 -0700 

Hello Tomcat user group.

I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO.  Since the Tomcat
server will be only hosting one web application and we only want SPNEGO
only on certain environments we were trying to add security contraints to
Tomcat's web.xml instead of the application's web.xml.

Unfortunately it doesn't seem like it is taking effect.  The only change is
is adding the app's URI context to the url-pattern in Tomcat's web.xml.

Is something misconfigured?  If not, what can I do to get this to work?

In TOMCAT_HOME/conf/web.xml...
---------------------------------------------

    <security-constraint>
          <web-resource-collection>
                <web-resource-name>NoSSO</web-resource-name>
                <description>URIs that should not trigger
SPNEGO</description>
                <url-pattern>/app/ping</url-pattern>
                 <url-pattern>/app/ws/*</url-pattern>
         <url-pattern>/app/service/*</url-pattern>
          </web-resource-collection>
        <!-- No auth-constraint means paths are accessible -->
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SSO</web-resource-name>
          <description>Default context path that will trigger
Kerberos-SPNEGO SSO</description>
      <url-pattern>/app/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>**</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>SPNEGO Realm</realm-name>
  </login-config>

In app web.xml...
-----------------------
<!-- SF Note: Added for SSO enablement -->
    <security-constraint>
          <web-resource-collection>
                <web-resource-name>NoSSO</web-resource-name>
                <description>URIs that should not trigger
SPNEGO</description>
                <url-pattern>/ping</url-pattern>
                 <url-pattern>/ws/*</url-pattern>
         <url-pattern>/service/*</url-pattern>
          </web-resource-collection>
        <!-- No auth-constraint means paths are accessible -->
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SSO</web-resource-name>
          <description>Default context path that will trigger
Kerberos-SPNEGO SSO</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>**</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>SPNEGO Realm</realm-name>
  </login-config>

Thanks!

Randy

Reply via email to