We are currently switching from PicketBox security to Elytron (on EAP 7.2).

Now we've got a problem with one of our ear deployments configuring two different security domains in jboss-ejb3.xml. We get "WFLYEJB0490: Multiple security domains not supported."

This has already been reported in JBEAP-9289 where it was said to be intentional, pointing out that Elytron should be flexible enough to handle the PicketBox multi security domain scenario. Also, that the solution would depend on the particular use case.

Our use case is as follows:

We have got one username/password based security domain which is used by almost all of our session beans. There is however one "login" SLSB which is called when users log into the client application. Its purpose is, among others, to record failed login attempts. Therefore we need a way for the client call to reach this bean even if the password is wrong. Our usual security domain would deny access. To this end, in the PicketBox system we have configured a  "NonValidating" security domain which is assigned to this bean only such that it can be called by any client. We haven't yet found a way to configure this in Elytron. Any ideas?

Thanks,

Gerret