1. Look in the HttpServletRequest for an "Authorization: Negotiate (lots of Base64)" header.
2. If there isn't one, send an HTTP 401 response with a "WWW-Authenticate: Negotiate" challenge, and return.
3. Create a GSSAPI acceptor context for SPNEGO/GSSAPI/Kerberos, Base64 decode the token, and pass it to GSSContext.acceptSecContext().
4. If GSSContext.acceptSecContext() returns an output token (for mutual authentication), Base64 encode it, generate a "WWW-Authenticate: Negotiate (a little Base64)" HTTP header, and add it to the HTTP 200 response.
5. If GSSContext.isEstablished() isn't true, complain bitterly and abort.
6. Otherwise, use GSSContext.getPeerName() to discover who the (now authenticated) client is, use that information to populate the Subject, throw away the GSSContext, and declare victory for validateRequest()