There are some attributes in elytron subsystem which have global effect on EAP server state even in case elytron security is not utilized in any way. Those are (at least):

• disallowed-providers
• final-providers
• initial-providers

We should put some note in description of those attributes that they have global effect on EAP server and take effect even in cases elytron security is not utilized anyhow. Reason is that it might be a little confusing for customers to find and configure these attributes in elytron subsystem even in case they use just legacy security-realm. One would expect that when something is configured in elytron subsystem it has not take effect unless explicitely referenced or used (because we still have also legacy security-realm based security). It is not a perfect state/UX but as Elytron is supposed to become a common and only place for server security configuration it is understandable that all new security related things are being put there.