[jboss-jira] [JBoss JIRA] (WFCORE-2666) Elytron ApplicationDomain allows anonymous authentication

Elytron ApplicationDomain allows anonymous authentication --------------------------------------------------------- Key: WFCORE-2666 URL: https://issues.jboss.org/browse/WFCORE-2666 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta14 Reporter: Darran Lofthouse Assignee: Darran Lofthouse Priority: Blocker Labels: eap7.1-rfe-failure, eap71_beta_candidate Fix For: 3.0.0.Beta15 New default Elytron {{ApplicationDomain}} security domain allows anonymous authentication but PicketBox's default security {{other}} does not. As it's expected that {{ApplicationDomain}} should be equivalent to {{other}} security domain this should behave the same. _Customer impact:_ If customer switches from PicketBox to Elytron default security domain then it brings risk of unintentional permission of anonymous authentication. This would be security hole. This is ongoing discussion from JBEAP-9117 where this is discussed for messaging subsystem however this decision affects other subsystems and goes beyond messaging.