3 Replies Latest reply on Jan 18, 2017 8:38 AM by Martin Choma

    Omitting SPNEGO at WildFly

    Marcin Wilk Newbie

      Is there any way to bypass SPNEGO authentication/authorization for certain URLs at WildFly? A sample use case could be a user who is logged in to the secured application via SPNEGO(kerberos) needs to log out (from the app) and someone else needs to log in from the same pc/browser but using his user/password credentials.

      For instance WebSphere Application Server supports similar functionality. I am looking for such an option on WildFly.  I would appreciate any hints or suggestions.

        • 1. Re: Omitting SPNEGO at WildFly
          Martin Choma Expert

          You can specify fallback authentication in wildfly. That means if SPNEGO authentication fails you can authenticate with for example FORM.

           

          In such case web.xml contains <auth-method>SPNEGO,FORM</auth-method>

           

          See How to Set Up SSO with Kerberos - Red Hat Customer Portal for details.

           

          Could you link WAS documentation about that feature?

          • 2. Re: Omitting SPNEGO at WildFly
            Marcin Wilk Newbie

            Thanks for your update Martin. The case you described is different though.

            I know that wildfly supports fall back. In my case situation is differen.

            SPNEGO authentication/authorization from let's say IE goes fine, the user

            is logged in. Now I need to figure out the way to log him out and fall back

            to form/basic. Normal setup enforces browser negotiation reguest exchange

            and will force kerberos authenticatoin again and again and again. So I

            don't know how to set up configuration allowing for logging a different

            user to the application while staying still logged in with the same windows

            user to the workstation. I am aware that such a scenario could be

            considered as a security rules violation.

            Again, thank you for your interest!

            • 3. Re: Omitting SPNEGO at WildFly
              Martin Choma Expert

              One nasty workaround comes to my mind:) In browser you have to configure to which domains should be negotiations performed. right?. E.g. network.negotiate-auth.trusted-uris=localhost in firefox. What if your application could be seen on 2 domains (or 1domain+1ip) and only one of them will be configured in browser. There is chance accessing second domain FORM authentication will be offered.

              1 of 1 people found this helpful