"Forbidden" indicates that the Security API is working indeed. But the user is not allowed at all (eg if your application requires a certain role but your user is not assigned any role). As you ca see in LoginBacking.java  there is a check on the roles ADMIN and USER

Which configuration did you chose? For Elytron you shoold check chap 4 WildFly Elytron Security

Still though, I'm baffled as to why this works on Payara Full and not on WildFly standalone full. No configuration on either, I downloaded them a couple of days ago and haven't set them up yet.

I also don't know why this is working in Payara/Glassfish. But my understanding is that the program is not taking the correct approach. As you can see in the specs https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwiWzO2n5IbgAhUDIlAKHV89DpYQFjAAe…  (13.6.3 Form Based Authentication)

"The login form must contain fields for entering a username and a password. These fields must be named j_username and j_password, respectively."

So it usually looks like:

<form method="post" action="j_security_check">

                    <h:form prependId="false">

                        <p:growl id="messages"/>

                        <table columns="2" role="presentation">

                            <tr>

                                <td>

                                    <p:outputLabel for="j_username" value="Username:"/>

                                </td>

                                <!--   <td><input type="text" name="j_username" /></td> -->

                                <td>

                                    <p:inputText  id="j_username" required="true" immediate="true"

                                                  requiredMessage="#{msg.userid_required}"/>

                                </td>

                            </tr>

                            <tr>

                                <td>

                                    <p:outputLabel for="j_password" value="Password:"/>

                                </td>

                                <td>

                                    <p:password id="j_password" required="true" immediate="true"

                                                requiredMessage="#{msg.password_required}"/>

                                    <!--    <input type="password" name="j_password"/> -->

                                </td>

                            </tr>

                        </table>

                        <p>

                            <input type="submit" value="#{msg.button_login}" class="button"/>

                            <input type="reset" value="#{msg.button_reset}" class="button"/>

                        </p>

The user should then be made avaiable by the application server ("The container attempts to authenticate the user using the information from the

form") and not injected by the program.

No configuration on either, I downloaded them a couple of days ago and haven't set them up yet.

Usually the credentials are not hard coded in the program but taken from some other container like file, database, ldap etc,

And then you will have to configure the link between the program and the security container indeed. In Glassfish you will probably do this via the "Security" area

Actually I don't want to use Elytron because we have our own authentication (I know, I know, not my decision) and this CustomIdentityStore would be quite helpful.

Elytron does not actually do the authentication but links to the container (similar to the "Security" feature in Glassfish)