Ondrej Lukas created WFLY-7878: ---------------------------------- Summary: Elytron security realms cannot be used only for authorization Key: WFLY-7878 URL: https://issues.jboss.org/browse/WFLY-7878 Project: WildFly Issue Type: Bug Components: Security Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Blocker Attachments: print-roles.war Scenario: I try to configure application server for scenario when different identity stores are used for authentication and authorization (e.g. username/password are stored in LDAP and roles are assigned from Database). In case when authentication and authorization is handled by different security realms in Elytron (i.e. aggregate realm is used) then authorization works only in case, when identity store for realm used for authorization includes the username also for authentication. See Steps to Reproduce for more details. We request blocker since using different identity stores for authentication and authorization is common scenario which should be provided by Elytron. Even out documentation explicitly mentioned that scenarios [1]: ??Consider the case where users are managed in a central LDAP server and application-specific roles are stored in the application’s relational database.?? I tried this scenario with Properties and Filesystem Realms for authentication and Properties and Ldap Realms for authorization. [1] https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-appli... -- This message was sent by Atlassian JIRA (v7.2.3#72005)