You can specify fallback authentication in wildfly. That means if SPNEGO authentication fails you can authenticate with for example FORM.
In such case web.xml contains <auth-method>SPNEGO,FORM</auth-method>
See How to Set Up SSO with Kerberos - Red Hat Customer Portal for details.
Could you link WAS documentation about that feature?
Thanks for your update Martin. The case you described is different though.
I know that wildfly supports fall back. In my case situation is differen.
SPNEGO authentication/authorization from let's say IE goes fine, the user
is logged in. Now I need to figure out the way to log him out and fall back
to form/basic. Normal setup enforces browser negotiation reguest exchange
and will force kerberos authenticatoin again and again and again. So I
don't know how to set up configuration allowing for logging a different
user to the application while staying still logged in with the same windows
user to the workstation. I am aware that such a scenario could be
considered as a security rules violation.
Again, thank you for your interest!
1 of 1 people found this helpful
One nasty workaround comes to my mind:) In browser you have to configure to which domains should be negotiations performed. right?. E.g. network.negotiate-auth.trusted-uris=localhost in firefox. What if your application could be seen on 2 domains (or 1domain+1ip) and only one of them will be configured in browser. There is chance accessing second domain FORM authentication will be offered.
I had a similar situation where the user needed to logout and login using the FORM mechanism and bypass SPNEGO. I finally found a solution by switching the <auth-method> order in web.xml.
I changed it from:
I also added a parameter to my logout link so that the servlet forwarded the request to the form login page. Hope this helps.