4 Replies Latest reply on Aug 27, 2019 9:36 AM by pcarrollnf

    Omitting SPNEGO at WildFly


      Is there any way to bypass SPNEGO authentication/authorization for certain URLs at WildFly? A sample use case could be a user who is logged in to the secured application via SPNEGO(kerberos) needs to log out (from the app) and someone else needs to log in from the same pc/browser but using his user/password credentials.

      For instance WebSphere Application Server supports similar functionality. I am looking for such an option on WildFly.  I would appreciate any hints or suggestions.

        • 1. Re: Omitting SPNEGO at WildFly

          You can specify fallback authentication in wildfly. That means if SPNEGO authentication fails you can authenticate with for example FORM.


          In such case web.xml contains <auth-method>SPNEGO,FORM</auth-method>


          See How to Set Up SSO with Kerberos - Red Hat Customer Portal for details.


          Could you link WAS documentation about that feature?

          • 2. Re: Omitting SPNEGO at WildFly

            Thanks for your update Martin. The case you described is different though.

            I know that wildfly supports fall back. In my case situation is differen.

            SPNEGO authentication/authorization from let's say IE goes fine, the user

            is logged in. Now I need to figure out the way to log him out and fall back

            to form/basic. Normal setup enforces browser negotiation reguest exchange

            and will force kerberos authenticatoin again and again and again. So I

            don't know how to set up configuration allowing for logging a different

            user to the application while staying still logged in with the same windows

            user to the workstation. I am aware that such a scenario could be

            considered as a security rules violation.

            Again, thank you for your interest!

            • 3. Re: Omitting SPNEGO at WildFly

              One nasty workaround comes to my mind:) In browser you have to configure to which domains should be negotiations performed. right?. E.g. network.negotiate-auth.trusted-uris=localhost in firefox. What if your application could be seen on 2 domains (or 1domain+1ip) and only one of them will be configured in browser. There is chance accessing second domain FORM authentication will be offered.

              1 of 1 people found this helpful
              • 4. Re: Omitting SPNEGO at WildFly

                I had a similar situation where the user needed to logout and login using the FORM mechanism and bypass SPNEGO.  I finally found a solution by switching the <auth-method> order in web.xml.


                I changed it from:






                I also added a parameter to my logout link so that the servlet forwarded the request to the form login page.  Hope this helps.