The SPNEGO Glassfish Plugin is a JMAC authentication module for the Glassfish servlet container. the basic http interactions are relatively straight-forward as follows:

1. jmac module in servlet container rejects request with HTTP 401 (Unauthorized) "WWW-Authenticate: Negotiate" header

2.browser computes spnego token and resends request with Authorization: Negotiate header containing base64 encoded spnego token (as you pointed out, we can find browsers that already know how to do this).

3. jmac module decodes token and uses it to call
gss_accept_security_context. jmac module returns an appropriate HTTP status code and header based on the outcome of the gss accept.

The plugin allows Glassfish to work with Kerberos single sign on authentication.