so your best bet is simply to extract the web.xml, make the necessary mods, then repack the "WAR".
So if you're deploying to an exploded WAR, the original WAR file can be safely deleted once it has been exploded
You can't use SPNEGO to secure anything coming in from outside the LAN (i.e., the open Internet), and I'm not sure that Linux or MacOS clients can do Windows LAN logins even in these advanced times.
iOS supports authentication to enterprise networks through Single Sign-on (SSO).
SSO works with Kerberos-based networks to authenticate users to services they are
authorized to access. SSO can be used for a range of network activities, from secure
Safari sessions to third-party apps.
iOS SSO utilizes SPNEGO tokens and the HTTP Negotiate protocol to work with
Kerberos-based authentication gateways and Windows Integrated Authentication
systems that support Kerberos tickets. Certi?cated-based authentication is also
supported. SSO support is based on the open source Heimdal project.
The following encryption types are supported:
Safari supports SSO, and third-party apps that use standard iOS networking APIs can
also be con?gured to use it. To con?gure SSO, iOS supports a con?guration pro?le
payload that allows MDM servers to push down the necessary settings. This includes
setting the user principal name (that is, the Active Directory user account) and Kerberos
realm settings, as well as con?guring which apps and/or Safari web URLs should be
allowed to use SSO.
I'm sure is to allow mixed-source logins by vetting in-house logins against Active Directory using the JNDIRealm while allowing outsiders to be authenticated and authorized via database entries. You should be able to stack the JNDIRealm and the SPNEGO Realm the same way.