I have to write a custom Jaspic ServerAuthModule (which needs to add a proprietary Authentication Cookie to the HTTP Response AND HTTP Request to be propagated to the applications running on the App Server). The Authentication must be done using Kerberos, SPNEGO.

The Application Server to be used is JBOSS EAP 6.4.x

I managed to get the Authentication using the JAAS Krb5LoginModule working.

The JBOSS EAP *Standone.xml* I use:

      <security-domain name="host" cache-type="default">

        <authentication>

          <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

              <module-option name="debug" value="true"/>

              <module-option name="principal" value="HTTP/macbookAirRCH@EXAMPLE.COM"/>

              <module-option name="storeKey" value="true"/>

              <module-option name="useKeyTab" value="true"/>

              <module-option name="doNotPrompt" value="true"/>

              <module-option name="keyTab" value="/Users/jet/Downloads/kerberos/macbookAirRCH.keytab"/>

          </login-module>

        </authentication>

      </security-domain>

      <security-domain name="SPNEGO" cache-type="default">

        <authentication>

          <login-module code="SPNEGO" flag="required">

              <module-option name="serverSecurityDomain" value="host"/>

          </login-module>

        </authentication>

        <mapping>

          <mapping-module code="SimpleRoles" type="role">

              <module-option name="user@EXAMPLE.COM" value="User,Admin"/>

          </mapping-module>

        </mapping>

      </security-domain>

*jboss-web.xml*:

     <jboss-web>

       <security-domain>SPNEGO</security-domain>

       <valve>

           <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>

       </valve>

       <context-root>kerberosREST</context-root>

     </jboss-web>

I also managed to get a customized JASPI Module working (`extends org.jboss.as.web.security.jaspi.modules.WebServerAuthModule`) using the following configuration:

    <security-domain name="testDomain" cache-type="default">

       <authentication-jaspi>

          <login-module-stack name="lm-stack">

             <login-module code="SPNEGO" flag="required">

                <module-option name="serverSecurityDomain" value="host"/>

             </login-module>

          </login-module-stack>

          <auth-module code="ch.test.jaspic.CustomServerAuthModule" flag="required" login-module-stack-ref="lm-stack"/>

        </authentication-jaspi>

           <mapping>

              <mapping-module code="SimpleRoles" type="role">

                 <module-option name="user@EXAMPLE.COM" value="User,Admin"/>

                 </mapping-module>

              </mapping>

     </security-domain>

*jboss-web.xml*:

    <jboss-web>

       <security-domain>testDomain</security-domain>

       <valve>

           <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>

       </valve>

       <context-root>kerberosREST</context-root>

    </jboss-web>

How can I use the default JASS Krb5LoginModule?

Should I include the two valves in the jboss-web.xml? (the order is important)

*jboss-web.xml*:

    <jboss-web>

       <security-domain>testDomain</security-domain>

       <valve>

           <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>

       </valve>

       <valve>

           <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>

       </valve>

       <context-root>kerberosREST</context-root>

    </jboss-web>

Many thanks in advance

ps: original question on Stack Overflow: http://stackoverflow.com/questions/36119266/jaspic-serverauthmodule-delegating-to-jaas-krb5loginmodule