Looks like @SecurityRealm("keycloak") is needed only if you have the elytron configuration in your wildfly standalone.xml file. I noticed that one test server had a bunch of extra keycloak elytron configuration while the other didn't. I deleted the extra configuration and now my application works as expected (authentication and authorization info is propagated to EJBs without any extra annotations). I guess this is the difference between legacy configuration and new elytron configuration. Seems like the new elytron client adapter is not as good as the legacy adapter / integration. Any reason not to stick with the legacy adapter? ----- Original Message ----- From: "Ryan Slominski" <ryans(a)jlab.org&gt; To: "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Sent: Wednesday, August 22, 2018 12:26:43 PM Subject: @SecurityDomain("keycloak") in EJB Using the Wildfly adapter I've noticed that the security context is propagated to EJBs without the SecurityDomain annotation in some cases, but not others. Does anyone know in what case it is needed? My only clue so far is Windows vs Linux, as I thought I configured both test boxes identically, but maybe I missed something. My application currently does not use the annotation and on my Windows test box authentication is propagated fine. However, on my Linux test box with the same war file I see unauthorized exception in the EJB layer even though the servlet reports I'm authenticated with proper roles. Does it have to do with Wildfly client adapter online vs offline install or adapter vs adapter-elytron install? If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain that would break platform independence, which container managed security is supposed to support. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user