Http management interface can share SPNEGO identity between calls if Proxy is used in front

Document security consideration in case proxy is used in front of management interface secured by kerberos.

https://tools.ietf.org/html/rfc4559#page-5 :

This mechanism is not used for HTTP authentication to HTTP proxies.

If an HTTP proxy is used between the client and server, it must take
care to not share authenticated connections between different
authenticated clients to the same server. If this is not honored,
then the server can easily lose track of security context
associations. A proxy that correctly honors client to server
authentication integrity will supply the "Proxy-support: Session-
Based-Authentication" HTTP header to the client in HTTP responses
from the proxy. The client MUST NOT utilize the SPNEGO HTTP
authentication mechanism through a proxy unless the proxy supplies
this header with the "401 Unauthorized" response from the server.??

I think best fit is own subchapter in how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

This is followup for https://issues.jboss.org/browse/JBEAP-11015.