In preparation for the eventual removal of the legacy security realms I would like to first reach an intermediate state where their use can be disabled.

Disabling the use of a subsystem is fairly easy, if we omit the jars containing the extension and don't register the extension then the subsystem is unavailable.  The legacy security realms are a little different as they are a part of core.

I think there are two situations I would like to disable them:
For the former I can easily do something like ServiceLoader discovery or Class.forName to detect if required classes have been provisioned or not, for the latter I can check the Java version at runtime,

I would propose that in the disabled cases the resources are just not registered in the management model at all.  These are not a transformed resource so nothing special to consider there.  For the XML parsing if the legacy security realms are found in the configuration I would then log an error to indicate they have been disabled and abort the boot process.

Technically it feels achievable, the only piece really that is not accurate is the XML schema for management would still show these as valid elements.  Alternatively I could log a warning and ignore these elements but that feels like it may cause more issues as users would be expecting them to be handled and any future writes to the configuration would drop them anyway.

Darran Lofthouse.