4 Replies Latest reply on Aug 27, 2019 9:36 AM by Paul Carroll

    Omitting SPNEGO at WildFly

    Marcin Wilk Newbie

      Is there any way to bypass SPNEGO authentication/authorization for certain URLs at WildFly? A sample use case could be a user who is logged in to the secured application via SPNEGO(kerberos) needs to log out (from the app) and someone else needs to log in from the same pc/browser but using his user/password credentials.

      For instance WebSphere Application Server supports similar functionality. I am looking for such an option on WildFly.  I would appreciate any hints or suggestions.

        • 1. Re: Omitting SPNEGO at WildFly
          Martin Choma Master

          You can specify fallback authentication in wildfly. That means if SPNEGO authentication fails you can authenticate with for example FORM.


          In such case web.xml contains <auth-method>SPNEGO,FORM</auth-method>


          See How to Set Up SSO with Kerberos - Red Hat Customer Portal for details.


          Could you link WAS documentation about that feature?

          • 2. Re: Omitting SPNEGO at WildFly
            Marcin Wilk Newbie

            Thanks for your update Martin. The case you described is different though.

            I know that wildfly supports fall back. In my case situation is differen.

            SPNEGO authentication/authorization from let's say IE goes fine, the user

            is logged in. Now I need to figure out the way to log him out and fall back

            to form/basic. Normal setup enforces browser negotiation reguest exchange

            and will force kerberos authenticatoin again and again and again. So I

            don't know how to set up configuration allowing for logging a different

            user to the application while staying still logged in with the same windows

            user to the workstation. I am aware that such a scenario could be

            considered as a security rules violation.

            Again, thank you for your interest!

            • 3. Re: Omitting SPNEGO at WildFly
              Martin Choma Master

              One nasty workaround comes to my mind:) In browser you have to configure to which domains should be negotiations performed. right?. E.g. network.negotiate-auth.trusted-uris=localhost in firefox. What if your application could be seen on 2 domains (or 1domain+1ip) and only one of them will be configured in browser. There is chance accessing second domain FORM authentication will be offered.

              1 of 1 people found this helpful
              • 4. Re: Omitting SPNEGO at WildFly
                Paul Carroll Newbie

                I had a similar situation where the user needed to logout and login using the FORM mechanism and bypass SPNEGO.  I finally found a solution by switching the <auth-method> order in web.xml.


                I changed it from:






                I also added a parameter to my logout link so that the servlet forwarded the request to the form login page.  Hope this helps.