What is the main difference between security-domain and security-realm in WildFly?
standalone.xml
<security-domain name="foo">
<authentication>
<login-module code="..." flag="...">
</login-module>
</authentication>
</security-domain>
and
<security-realm name="foo">
<authentication>
<local default-user="..." allowed-users="..."
skip-group-loading="..."/>
<properties path="..." relative-to="..."/>
</authentication>
<authorization>
<properties path="..." relative-to="..."/>
</authorization>
</security-realm>
Answer updated (2018-06-08) to reflect WildFly Elytron naming. WildFly Elytron is a new security subsystem introduced in WildFly 11 (and JBoss EAP 7.1). Both security subsystems - legacy one and the Elytron - have notion of security domains and security realms but the meaning is different.
The Security Domains are used mainly for defining security of deployed applications.
The standard authentication in security domains is based on JAAS javax.security.auth.spi.LoginModule
implementations. Application can come up with custom login module(s).
The Security Realms are used mainly for configuration security of server management interfaces and remoting.
The realm authentication is based on provided implementations of javax.security.auth.callback.CallbackHandler
. AFAIK it's not possible to provide own CallbackHandler implementation.
A security domain can delegate authentication to a security realm by using the "RealmDirect" login module.
A security realm can delegate authentication to a security domain by using "jaas" authentication configuration
See also this response by JBoss security developer Darran Lofthouse.
The Security Realms encapsulate access to user repositories (DB - jdbc-realm, LDAP - ldap-realm, property file - properties-realm, ...). Compared to legacy security it's on a similar level as JAAS Login Modules. An API is provided so custom realms can be implemented.
The Security Domain represents a security policy which uses Security Realms for authentication. Security domains can be used in management security as well as in the application security. A successful authentication against a security domain produces a SecurityIdentity
which represents the current user.
Read Elytron subsystem chapter in JBoss EAP documentation to get a more detailed overview of Elytron components.
To learn more about controlling authentication flow in Elytron security domains read this article from Darran Lofthouse.
If you are migrating from Legacy to Elytron security, you can expose a Legacy Security Domain as an Elytron Security Realm. Read more about this scenario in the Elytron Subsystem Migration guide