Changing default-realm of Elytron security-domain through CLI can put the server configuration to wrong state ------------------------------------------------------------------------------------------------------------- Key: WFLY-7071 URL: https://issues.jboss.org/browse/WFLY-7071 Project: WildFly Issue Type: Bug Components: Security Reporter: Ondrej Lukas Assignee: Jan Kalina Fix For: 11.0.0.Final Values of write-attribute operation for default-realm of Elytron security-domain are not checked. It means that CLI allows users to set application server to wrong state. The same happens if realm, which is considered as default-realm, is removed from used security-domain realms. CLI should deny write attribute operation with wrong value (in the same way as it works for another security-domain attributes). After reload, server is not started and following logs occur in console: {code} ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 25) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("security-domain" => "ApplicationDomain") ]) - failure description: "WFLYELY00013: The default_realm 'WrongRealm' is not in the list or realms referenced by this domain." ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) "WFLYCTL0193: Failed executing subsystem elytron boot operations" ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("parallel-subsystem-boot") failed - address: ([]) - failure description: "\"WFLYCTL0193: Failed executing subsystem elytron boot operations\"" FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. {code}