-
1. Re: Omitting SPNEGO at WildFly
mchoma Jan 17, 2017 11:10 AM (in response to mathakam)You can specify fallback authentication in wildfly. That means if SPNEGO authentication fails you can authenticate with for example FORM.
In such case web.xml contains <auth-method>SPNEGO,FORM</auth-method>
See How to Set Up SSO with Kerberos - Red Hat Customer Portal for details.
Could you link WAS documentation about that feature?
-
2. Re: Omitting SPNEGO at WildFly
mathakam Jan 18, 2017 8:14 AM (in response to mchoma)Thanks for your update Martin. The case you described is different though.
I know that wildfly supports fall back. In my case situation is differen.
SPNEGO authentication/authorization from let's say IE goes fine, the user
is logged in. Now I need to figure out the way to log him out and fall back
to form/basic. Normal setup enforces browser negotiation reguest exchange
and will force kerberos authenticatoin again and again and again. So I
don't know how to set up configuration allowing for logging a different
user to the application while staying still logged in with the same windows
user to the workstation. I am aware that such a scenario could be
considered as a security rules violation.
Again, thank you for your interest!
-
3. Re: Omitting SPNEGO at WildFly
mchoma Jan 18, 2017 8:38 AM (in response to mathakam)1 of 1 people found this helpfulOne nasty workaround comes to my mind:) In browser you have to configure to which domains should be negotiations performed. right?. E.g. network.negotiate-auth.trusted-uris=localhost in firefox. What if your application could be seen on 2 domains (or 1domain+1ip) and only one of them will be configured in browser. There is chance accessing second domain FORM authentication will be offered.
-
4. Re: Omitting SPNEGO at WildFly
pcarrollnf Aug 27, 2019 9:36 AM (in response to mathakam)I had a similar situation where the user needed to logout and login using the FORM mechanism and bypass SPNEGO. I finally found a solution by switching the <auth-method> order in web.xml.
I changed it from:
<auth-method>SPNEGO,FORM</auth-method>
To:
<auth-method>FORM,SPNEGO</auth-method>
I also added a parameter to my logout link so that the servlet forwarded the request to the form login page. Hope this helps.