4 Replies Latest reply on Aug 27, 2019 9:36 AM by pcarrollnf

    Omitting SPNEGO at WildFly

    mathakam
    mathakam Jan 17, 2017 10:44 AM

      Is there any way to bypass SPNEGO authentication/authorization for certain URLs at WildFly? A sample use case could be a user who is logged in to the secured application via SPNEGO(kerberos) needs to log out (from the app) and someone else needs to log in from the same pc/browser but using his user/password credentials.

      For instance WebSphere Application Server supports similar functionality. I am looking for such an option on WildFly.  I would appreciate any hints or suggestions.

        • 1. Re: Omitting SPNEGO at WildFly
          mchoma
          mchoma Jan 17, 2017 11:10 AM (in response to mathakam)

          You can specify fallback authentication in wildfly. That means if SPNEGO authentication fails you can authenticate with for example FORM.

           

          In such case web.xml contains <auth-method>SPNEGO,FORM</auth-method>

           

          See How to Set Up SSO with Kerberos - Red Hat Customer Portal for details.

           

          Could you link WAS documentation about that feature?

            • Actions
          • 2. Re: Omitting SPNEGO at WildFly
            mathakam
            mathakam Jan 18, 2017 8:14 AM (in response to mchoma)

            Thanks for your update Martin. The case you described is different though.

            I know that wildfly supports fall back. In my case situation is differen.

            SPNEGO authentication/authorization from let's say IE goes fine, the user

            is logged in. Now I need to figure out the way to log him out and fall back

            to form/basic. Normal setup enforces browser negotiation reguest exchange

            and will force kerberos authenticatoin again and again and again. So I

            don't know how to set up configuration allowing for logging a different

            user to the application while staying still logged in with the same windows

            user to the workstation. I am aware that such a scenario could be

            considered as a security rules violation.

            Again, thank you for your interest!

              • Actions
            • 3. Re: Omitting SPNEGO at WildFly
              mchoma
              mchoma Jan 18, 2017 8:38 AM (in response to mathakam)

              One nasty workaround comes to my mind:) In browser you have to configure to which domains should be negotiations performed. right?. E.g. network.negotiate-auth.trusted-uris=localhost in firefox. What if your application could be seen on 2 domains (or 1domain+1ip) and only one of them will be configured in browser. There is chance accessing second domain FORM authentication will be offered.

              1 of 1 people found this helpful
                • Actions
              • 4. Re: Omitting SPNEGO at WildFly
                pcarrollnf
                pcarrollnf Aug 27, 2019 9:36 AM (in response to mathakam)

                I had a similar situation where the user needed to logout and login using the FORM mechanism and bypass SPNEGO.  I finally found a solution by switching the <auth-method> order in web.xml.

                 

                I changed it from:

                <auth-method>SPNEGO,FORM</auth-method>

                 

                To:

                <auth-method>FORM,SPNEGO</auth-method>

                 

                I also added a parameter to my logout link so that the servlet forwarded the request to the form login page.  Hope this helps.

                  • Actions