Facing the same issue here, under Wildfly 10. Have you managed to get this to work?

So in your case security domain "other" is applied? Do you have cache-type="default" specified on that security domain? If not wildfly try to authenticate on each request.

My domain is defined as follows:

                <security-domain name="jboss-web-policy" cache-type="default">

                    <authorization>

                        <policy-module code="Delegating" flag="required"/>

                    </authorization>

                </security-domain>

                <security-domain name="jboss-ejb-policy" cache-type="default">

                    <authorization>

                        <policy-module code="Delegating" flag="required"/>

                    </authorization>

                </security-domain>

                <security-domain name="MyRealm" cache-type="default">

                    <authentication>

                        <login-module code="Database" flag="required">

                            <module-option name="dsJndiName" value="java:jboss/MysqlXADS"/>

                            <module-option name="principalsQuery" value="SELECT password AS Password FROM user WHERE username = ?"/>

                            <module-option name="rolesQuery" value="select 'user' as Role, 'Roles' as RoleGroup union select 'admin' as Role, 'Roles' AS RoleGroup from user where admin is true and username = ?"/>

                        </login-module>

                    </authentication>

                </security-domain>

So I don't think that's the problem?

So probably what you want is to get rid of wildfly security domain to be involved. You want to be on your own.

So based on what you post on wildfly-dev, I believe  you have to remove MyRealm from jboss-web.xml to get what you want.

That unfortunately does not have the expected result. What I have currently achieved: Protected API endpoints, when logged in, can be accessed, if your not login, a Basic authentication challenge is started. The basic authentication is connected to the right security domain (so my username / password combination works). Now I was trying to implement another security mechanism, that connects to the same security domain through an unprotected API endpoint. If I remove MyRealm from jboss-web.xml, then httpServletRequest.login does not point to MyRealm and thus throws an error on login. Keep in mind! Even though bypassing the security on the login endpoint, the login method works just fine if MyRealm is defined  in jboss-web.xml (securityContext.getUserPrincipal is not null, without basic auth challenge), but it's somehow forgotten on the successive request (securityContext.getUserPrincipal is null again).

So problem here is this scenario? :

1) you access unprotected /api/me/login and logs in

2)you expects accessing /api/* will work without BASIC login dialog, but it is there?

Probably it is right behaviour. Note, client has to always send user/password as a request on BASIC authentication. But browsers use to cache user/password information and use it. Security domain cache can avoid unnecessary call to login module, in your case Database call from MyRealm security domain.

Could you fully protect your API with BASIC authentication - no unsecure channel?

I am currently using a Basic authentication scheme. I however want to switch to another authentication mechanism, because basic authentication headers are cached in the browser, making it impossible to do a logout (unless you’re in IE where you have control over the cached credentials). Furthermore I don’t like the idea of sending the credentials over the wire for every request.

I want to use another authentication scheme, but connect against the same security domain (and benefit from the authentication realm and all the authentication mechanisms in the application server).

httpservletrequest.login should give me access (and actually gives me access) to login to the security domain. This also works, the first time. The user principal is correctly set and I can use it for the lifetime of the request.

Strange enough, using basic auth the session gets attached to the cookie, and basic authentication headers are not required on the successive request. Using httpservletrequest.login however, on the next request, the principal is null again. (And yes, with basic auth still enabled, it figures out it still needs authentication, and a basic auth challenge is started, but my question really is why the session was not stored in the first place)

Seems that I managed to persist the login by calling httpservletrequest.authenticate(httpservletresponse) after the call on login. See http://stackoverflow.com/a/38976889/2104280 for a more detailled answer.

I have same problem...auhentication working on jboss as 7.1 but not on wildfly..

web.xml

<filter>

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<!--    <security-constraint>

<web-resource-collection>

<web-resource-name>AgencyPortalUI</web-resource-name>

<url-pattern>/*</url-pattern>

<http-method>GET</http-method> 

    <http-method>POST</http-method>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint> -->

<session-config>

<!-- 15 minutes 900000 milliseconds -->

<session-timeout>100</session-timeout>

</session-config>

</web-app>

and my jboss configuration ,same on wildfly

<subsystem xmlns="urn:jboss:domain:security:1.2">

            <security-domains>

                <security-domain name="other" cache-type="default">

                    <authentication>

                        <login-module code="Remoting" flag="optional">

                            <module-option name="password-stacking" value="useFirstPass"/>

                        </login-module>

                        <login-module code="RealmDirect" flag="optional">

                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                            <module-option name="realm" value="ApplicationRealm"/>

                            <module-option name="password-stacking" value="useFirstPass"/>

                        </login-module>

                    </authentication>

                </security-domain>

                <security-domain name="jboss-web-policy" cache-type="default">

                    <authorization>

                        <policy-module code="Delegating" flag="required"/>

                    </authorization>

                </security-domain>

                <security-domain name="jboss-ejb-policy" cache-type="default">

                    <authorization>

                        <policy-module code="Delegating" flag="required"/>

                    </authorization>

                </security-domain>

            </security-domains>

        </subsystem>

and my code

try {

LOGGER.info("before authenticate {}");

userTO = restEasyPortalServiceProxy.getLoginService().authenticate(

userName, userPass);

LOGGER.info("After authenticate : {}", userTO);

userSessionData.setAuthToken(userTO.getAuthToken());

} catch