[]  Support for multiple security realms - Failover

In  elytron
Tracked by 


Our security realms are able to indicate unavailability by throwing a RealmUnavailableException

We should support fail over to an alternative realm.

A common request is fail over to a local file based realm if an LDAP or database server has gone down allowing administrators to retain access to the server.

Issue Metadata


Dev Contacts

QE Contacts

Testing By

[ ] Engineering

[x] QE

Affected Projects or Components

  • Wildfly (documentation)

  • Wildfly Core

  • Elytron


Hard Requirements

Add FailoverRealm to Elytron, which will be a SecurityRealm wrapper containing delegate and failover realm. If the delegate throws a RealmUnavailableException during RealmIdentity lookup, it will be caught and failover realm will be used instead. Configuration in WFCore will look like following:

    <failover-realm name="TheRealm" delegate-realm="LdapRealm" failover-realm="LocalRealm" />

failover-realm will emit SecurityRealmUnavailableEvent to the corresponding SecurityDomain whenever it fails over. This can be turned off by adding emit-events attribute and setting it to false.

Test Plan

Tests will be added to Wildfly Elytron Subsystem test added to Wildfly Core (parsing, persisting, transformer)

Community Documentation

failover-realm documentation will be added to Wildfly documentation