4 Replies Latest reply on Apr 14, 2010 11:25 AM by sridhar18

Issues with JBoss Negotiation

danielmesser Feb 11, 2009 11:18 PM

I am having some serious configuration
issues when trying to run the toolkit. I am running out of ideas and time to make it work so maybe you could point me to
some directions on how to fix my problems.
I am running security-negotiation-2.0.3.Beta2 with Jboss 4.2.3.GA on a Linux X86_64 machine.

On the client side, I am using Firefox 2.0.0.7 on a Linux i686 desktop
- I enabled GSSAPI:
network.negotiate-auth.allow-proxies: true
network.negotiate-auth.delegation-uris:
network.negotiate-auth.gsslib:
network.negotiate-auth.trusted-uris: http://
network.negotiate-auth.using-native-gsslib: true

- Security Domain test works fine
- Basic negotiation fails with the following error:

=============================================================
HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Unable to writeHeaderDetail
org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:106)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

root cause

java.io.IOException: Unexpected message type
org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decodeNegTokenInitSequence(NegTokenInitDecoder.java:112)
org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decode(NegTokenInitDecoder.java:144)
org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.writeHeaderDetail(BasicNegotiationServlet.java:137)
org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:96)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

note The full stack trace of the root cause is available in the JBossWeb/2.0.1.GA logs.

============================================================

On the server side the log shows:

============================================================
2009-01-21 10:18:38,645 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] No Authorization Header, sending 401
2009-01-21 10:18:38,655 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] Authorization header received - formatting web page response.
2009-01-21 10:18:38,656 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jboss-negotiation-toolkit].[BasicNegotiation]] Servlet.service() for ser
vlet BasicNegotiation threw exception java.io.IOException: Unexpected message type
at org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decodeNegTokenInitSequence(NegTokenInitDecoder.java:112)
at org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decode(NegTokenInitDecoder.java:144)
:
:
============================================================

The request header is:

============================================================
Host lnx.americas.sgi.com:8080
User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://lnx.americas.sgi.com:8080/jboss-negotiation-toolkit/
Cookie s_vi=[CS]v1|492193040000758D-A0208550000349F[CE]; SGISESSION=WeAsHAJ9%2FOd8g
Authorization Negotiate
YIICEAYJKoZIhvcSAQICAQBuggH/MIIB+6ADAgEFoQMCAQ6iBwMFAAAAAACjggEXYYIBEzCCAQ+gAwIBBaENGwtTTEMuU0dJLkNPTaInMCWgAwIBA6EeMBwbBEhUVFAbFGxueC5hbWVyaWNhcy5zZ2kuY29to4HPMIHMoAMCARChAwIBA6KBvwSBvAfti47NDZfzU6P4XcpFttlXz2aLrjg8Xgb3Ab002NJx47A+cWqDUivWpvpxWECH8x1ZbHEURHPkxtblWJ5W+xij/oMJnOg4Ywizb9C+7ICxwIMm3LGo+RnPrRPROaZH/ikyalhcYFKCFbXxh7wdTkLQHsgz2w5kGB7ajex7nutjzCNeERo0Kb0I6GWQaStAmJpVqjO/CQrkTvCNn3dA8tiPxmnVxWBrdYYKq2TldxZGvkrXCY14cSheOV3/pIHKMIHHoAMCARCigb8EgbwZYMcdmOpCrJjuwL4NA6MfET8SQ4lRz4BpPf0/DkKJOTdrqhf6M8yO6Z+79LSwFYSbOOusNTiZu+Ixy3wNNbotCZK2Lnl1J6E+TZr5YLm/VIgnC6PT0PA176Os/m19m5fyG9Dj/9UJaFU3QaAb3BXYbZTVGz1+8nh086tpzWnoOOec/lQWFgwsGp+Y51wlOT3RbIEnopH0pAOhOAqe+wIw8WEjDu5DT7e6LDSrFq8wNcTF7Ec8dlAKvAD1iQ==

===========================================================

The login-config.xml configuration is:

===========================================================
<application-policy name="host">

<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">host/lnx.americas.sgi.com@SLC.SGI.COM</module-option>
<module-option name="keyTab">/etc/krb5.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>

</application-policy>

<application-policy name="SPNEGO">

<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>

</application-policy>

===============================================================

- I got the tickets on the client side through kinit -p -f:
klist -e
Ticket cache: FILE:/tmp/krb5cc_10002
Default principal: daniel@SLC.SGI.COM

Valid starting Expires Service principal
01/21/09 08:24:34 01/22/09 08:24:34 krbtgt/SLC.SGI.COM@SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
01/21/09 08:24:52 01/22/09 08:24:34 HTTP/lnx.americas.sgi.com@SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
01/21/09 08:47:26 01/22/09 08:24:34 host/lnx.americas.sgi.com@SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1

Kerberos 4 ticket cache: /tmp/tkt10002
klist: You have no tickets cached

- On the server side the tickets are:
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@SLC.SGI.COM

Valid starting Expires Service principal
01/20/09 17:18:14 01/21/09 17:18:13 krbtgt/SLC.SGI.COM@SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
01/20/09 17:18:24 01/21/09 17:18:13 host/aphelion.americas.sgi.com@SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

- the kerberos configuration on the client side is:

=========================================================
[libdefaults]
default_realm = SLC.SGI.COM
forwardable = 1

[realms]
SLC.SGI.COM = {
default_domain = SLC.SGI.COM
kdc = depot.americas.sgi.com:88
kdc = aphelion.americas.sgi.com:88
kdc = feanor.americas.sgi.com:88
admin_server = depot.americas.sgi.com:749
}

[domain_realm]
.americas.sgi.com = SLC.SGI.COM
americas.sgi.com = SLC.SGI.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
============================================================

- on the server side, the kerberos configuration is

============================================================
[libdefaults]
default_realm = SLC.SGI.COM
forwardable = 1

[realms]
SLC.SGI.COM = {
default_domain = SLC.SGI.COM
kdc = depot.americas.sgi.com:88
kdc = aphelion.americas.sgi.com:88
kdc = feanor.americas.sgi.com:88
admin_server = depot.americas.sgi.com:749
}

[domain_realm]
.americas.sgi.com = SLC.SGI.COM
americas.sgi.com = SLC.SGI.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
===========================================================

Please let me know if you need more information.
Your help would be greatly appreciated.

Daniel

1. Re: Issues with JBoss Negotiation

danielmesser Feb 11, 2009 11:24 PM (in response to danielmesser)

Darran,

As per your suggestion, I upgraded Firefox to Firefox3. It still doesn't work but now I get the following error:
Any ideas?
Thanks

20:57:14,091 INFO [SPNEGOAuthenticator] Header - null
20:57:14,187 INFO [SPNEGOAuthenticator] Header - Negotiate YIICTQYGKwYBBQUCoIICQTCCAj2gHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggIYBIICFGCCAhAGCSqGSIb3EgECAgEAboIB/zCCAfugAwIBBaEDAgEOogcDBQAAAAAAo4IBF2GCARMwggEPoAMCAQWhDRsLU0xDLlNHSS5DT02iJzAloAMCAQOhHjAcGwRIVFRQGxRsbnguYW1lcmljYXMuc2dpLmNvbaOBzzCBzKADAgEQoQMCAQOigb8Egbw5tg/oKgy6xWSvNU7juU3zFBuOSf5C6P4Uowezrgqne53q5+LxA5X8FPyycisYeF1MF49hOOvj45elsmtkGL/7X5GiScnKaITtoSWkS7J8SAtWCj+HXUQpuJIUv8r0wjd572BlRELOvcPm7kdxTWD9txRTzSFEbnOvZIeRW71Mk+kZAl3NxiOiPJkUBj5s2Y4WPilU8f9eeXuls3CKXafYsJaFyFuhnV5ds920VOBoHTlkpJPp1qnoFpiqGqSByjCBx6ADAgEQooG/BIG8FFQkcwz6d/+/RsoYKXn+PqBwrmW0eZI3cKumgy9R3uvsNgmn3PcBOdEn6XtFVyhPT50YjaMEuzTT9EdSiHXqbjcg+HAEYC3a47Za/VkuGR6PDcrvO00M0lUk1ngBiTzcA1Su6ad6Pfy8jPnvm0UO0AGJsqg6ZXqjlvBiSgeZm769mv207jRFn1PXGgpAmj0F6jm0k58a6oHFTI+HEr6cy7xk9A9vwsGP61bo2kakE5NQog880Gn/odVPt5o=
20:57:14,188 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is false principal is host/lnx.americas.sgi.com@SLC.SGI.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
20:57:14,189 INFO [STDOUT] principal's key obtained from the keytab
20:57:14,189 INFO [STDOUT] Acquire TGT using AS Exchange
20:57:14,236 INFO [STDOUT] principal is host/lnx.americas.sgi.com@SLC.SGI.COM
20:57:14,237 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: EA 7F 1F 73 8F 89 7C 08
20:57:14,237 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 64 CD 57 D9 B0 C2 19 D0 85 DF 5E 0B 6D 43 CD 37 d.W.......^.mC.7
0010: CD B3 CB B5 0D 5D DC 13
20:57:14,237 INFO [STDOUT] Added server's keyKerberos Principal host/lnx.americas.sgi.com@SLC.SGI.COMKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: EA 7F 1F 73 8F 89 7C 08
20:57:14,237 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/lnx.americas.sgi.com@SLC.SGI.COM to Subject
20:57:14,237 INFO [STDOUT] Added server's keyKerberos Principal host/lnx.americas.sgi.com@SLC.SGI.COMKey Version 3key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 64 CD 57 D9 B0 C2 19 D0 85 DF 5E 0B 6D 43 CD 37 d.W.......^.mC.7
0010: CD B3 CB B5 0D 5D DC 13
20:57:14,237 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/lnx.americas.sgi.com@SLC.SGI.COM to Subject
20:57:14,237 INFO [STDOUT] Commit Succeeded
20:57:14,241 ERROR [SPNEGOLoginModule] Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:295)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113)
at sun.reflect.GeneratedMethodAccessor77.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:77)
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:69)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
... 31 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:354)
at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:57)
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:75)
... 37 more
20:57:14,243 INFO [STDOUT] [Krb5LoginModule]: Entering logout
20:57:14,243 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
Actions
2. Re: Issues with JBoss Negotiation

danielmesser Feb 11, 2009 11:30 PM (in response to danielmesser)

Darran,

I realized that Negitiation 2.0.3GA has been released. I updated JBoss with
the new version.
Now, Basic Negotiation, which used to work when I upgraded Firefox, is not working anymore with a new error:

22:06:55,767 INFO [BasicNegotiationServlet] No Authorization Header, sending 401
22:06:55,922 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
22:06:55,923 ERROR [[BasicNegotiation]] Servlet.service() for servlet BasicNegotiation threw exception
java.lang.VerifyError: (class: org/jboss/security/negotiation/spnego/SPNEGOMessageFactory, method: createMessage signature: (Ljava/io/InputStream;)Lorg/jboss/security/negotiation/NegotiationMessage;) Wrong return type in function
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Class.java:2357)
at java.lang.Class.getConstructor0(Class.java:2671)
at java.lang.Class.newInstance0(Class.java:321)
at java.lang.Class.newInstance(Class.java:303)
at org.jboss.security.negotiation.MessageFactory.newInstance(MessageFactory.java:110)
at org.jboss.security.negotiation.MessageFactory.newInstance(MessageFactory.java:80)
at org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:105)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)

Your help is greatly appreciated,
Thanks,

Daniel
Actions
3. Re: Issues with JBoss Negotiation

dlofthouse Feb 16, 2009 10:15 AM (in response to danielmesser)

Daniel,

The latest error that you are showing looks as though you may have more than one version of the JBoss Negotiation library deployed - can you double check that you did completely remove the old version?
Actions
4. Re: Issues with JBoss Negotiation

sridhar18 Apr 14, 2010 11:25 AM (in response to dlofthouse)

Hi Darran,
I'm trying JBoss Negotiation as a proof of concept at my company. I'm trying to test this entirely on my workstation which runs on Linux. I have JBoss 4.2.3 GA deployed locally and I'm using latest firefox 3.6.3 as my browser. I downloaded JBoss Security Negotiation 2.0.3 GA and followed the instructions in the user guide to set things up. I thought I had it all set up and deployed the jboss-negotiation-toolkit locally to test my settings.
I also configured my firefox's network.negotiate-auth.trusted-uris to be http://localhost:8080 (that's where my jboss is).

I'm able to test the "Security Domain Test" successfully. I get the expected "Authenticated" message for my security domain "host"
I'm NOT able to test the "Basic Negotiation". I get "HTTP 401" error. "This request requires HTTP Authentication"
I see this in the logs:
         INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] No Authorization Header, sending 401

Could you figure out what I'm missing? Can we actually do this on a single workstation? Any help would be appreciated.

Below is my login-config.xml

<application-policy name="host">
   <authentication>
      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
         flag="required">
         <module-option name="storeKey">true</module-option>
         <module-option name="useKeyTab">true</module-option>
         <module-option name="principal">jboss-process@MY.COMPANY.DOMAIN.COM</module-option>
         <module-option name="keyTab">/home/testuser/lhost.keytab</module-option>
         <module-option name="doNotPrompt">true</module-option>
         <module-option name="isInitiator">false</module-option>
         <module-option name="debug">true</module-option>
      </login-module>
   </authentication>
</application-policy>

<application-policy name="SPNEGO">
   <authentication>
      <login-module
         code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
         flag="requisite">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="serverSecurityDomain">host</module-option>
      </login-module>
      <login-module
         code="org.jboss.security.auth.spi.UsersRolesLoginModule"
         flag="required">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="usersProperties">props/spnego-users.properties</module-option>
         <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
      </login-module>
    </authentication>
</application-policy>
</policy>
Actions

Go to original post