[ https://issues.jboss.org/browse/ELY-861?page=com.atlassian.jira.plugin.sy... ] David Lloyd commented on ELY-861: --------------------------------- The RoleDecoder is responsible for getting the roles from the authorization identity. The domain stores a RoleDecoder with each RealmInfo. The SecurityDomain's anonymous identity is constructed from an empty per-Domain RealmInfo and the org.wildfly.security.authz.AuthorizationIdentity#EMPTY identity. The per-Domain RealmInfo is constructed with the org.wildfly.security.authz.RoleDecoder#DEFAULT role decoder. This decoder simply reads roles off of the "Roles" attribute key, which will be empty for the anonymous identity. One simple solution is to have configuration options for the anonymous identity's role mapper or decoder, which can simply return the set of roles that the anonymous identity should have. -- This message was sent by Atlassian JIRA (v7.2.3#72005)