We have a legacy application which already uses authentication but cannot handle the realm part of the principal name. To enable single sign on we have made the changes in provided patch which allows to configure the module-option cutOffDomain for SPNEGOLoginModule. If the username ends with the realm name configured in this option the realm name is removed from the user name. This way the application gets the simpler name in the HttpServletRequest. Principals not ending with this realm are left untouched.