Different clients perform authentication differently, so this policy
will authorize any principal to a requested user that match specific
conditions that are considered secure defaults for most installations.
Keep in mind if a client does not request any username Java copies the
authenticated ID to the requested username.
If the authenticated ID is in the form of a plain username, and the
requested user is in the form of a plain username, then the two must
be exactly the same.
If the authenticated ID contains an '@', then the portion before the
'@' must match exactly the requested username and the portion after
the '@' must match at least one of the following:
The XMPP domain of the server
The SASL realm of the server
Be in the list of acceptable realms
If the requested username contains an '@' then the portion before the
'@' will be considered the requested username only if the portion after
the '@' matches the XMPP domain of the server or the portion after the
'@' in the authenticated ID, if any.