diff --git a/elytron/pom.xml b/elytron/pom.xml
index e506f39254d..e1858af4213 100644
--- a/elytron/pom.xml
+++ b/elytron/pom.xml
@@ -414,6 +414,7 @@
                                 <exclude>jacc-with-providers.xml</exclude>
                                 <exclude>legacy*.xml</exclude>
                                 <exclude>elytron-subsystem-community*.xml</exclude>
+                                <exclude>elytron-subsystem-preview*.xml</exclude>
                             </excludes>
                             <systemId>src/main/resources/schema/wildfly-elytron_18_0.xsd</systemId>
                         </validationSet>
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java
index 14f6e99baa4..79b3ccc435b 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java
@@ -232,7 +232,9 @@ private void addMapperParser(PersistentResourceXMLDescription.PersistentResource
 
     private void addRealmParser(PersistentResourceXMLDescription.PersistentResourceXMLBuilder builder) {
         RealmParser realmParser = new RealmParser();
-        if (this.since(ElytronSubsystemSchema.VERSION_18_0)) {
+        if (this.since(ElytronSubsystemSchema.VERSION_18_0_PREVIEW)) {
+            builder.addChild(realmParser.realmParserPreview_18_0);
+        } else if (this.since(ElytronSubsystemSchema.VERSION_18_0)) {
             builder.addChild(realmParser.realmParser_18);
         } else if (this.since(ElytronSubsystemSchema.VERSION_16_0)) {
             builder.addChild(realmParser.realmParser_16);
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/RealmParser.java b/elytron/src/main/java/org/wildfly/extension/elytron/RealmParser.java
index 4a350c30a4b..cb1b1350e9d 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/RealmParser.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/RealmParser.java
@@ -112,6 +112,9 @@ class RealmParser {
     private final PersistentResourceXMLDescription tokenRealmParser = builder(PathElement.pathElement(ElytronDescriptionConstants.TOKEN_REALM))
             .addAttributes(TokenRealmDefinition.ATTRIBUTES)
             .build();
+    private final PersistentResourceXMLDescription tokenRealmParserPreview_18_0 = builder(PathElement.pathElement(ElytronDescriptionConstants.TOKEN_REALM))
+            .addAttributes(TokenRealmDefinition.ATTRIBUTES)
+            .build();
     private final PersistentResourceXMLDescription cachingRealmParser = builder(PathElement.pathElement(ElytronDescriptionConstants.CACHING_REALM))
             .addAttributes(CachingRealmDefinition.ATTRIBUTES)
             .build();
@@ -272,6 +275,23 @@ class RealmParser {
             .addChild(jaasRealmParser)
             .build();
 
+    final PersistentResourceXMLDescription realmParserPreview_18_0 = decorator(ElytronDescriptionConstants.SECURITY_REALMS)
+            .addChild(aggregateRealmParser_8_0)
+            .addChild(customRealmParser)
+            .addChild(customModifiableRealmParser)
+            .addChild(identityRealmParser)
+            .addChild(jdbcRealmParser_14_0)
+            .addChild(keyStoreRealmParser)
+            .addChild(propertiesRealmParser_14_0)
+            .addChild(ldapRealmParser)
+            .addChild(filesystemRealmParser_16)
+            .addChild(tokenRealmParserPreview_18_0)
+            .addChild(cachingRealmParser)
+            .addChild(distributedRealmParser_18)
+            .addChild(failoverRealmParser)
+            .addChild(jaasRealmParser)
+            .build();
+
     RealmParser() {
 
     }
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/TokenRealmDefinition.java b/elytron/src/main/java/org/wildfly/extension/elytron/TokenRealmDefinition.java
index d7b9293853e..f25afc4e979 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/TokenRealmDefinition.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/TokenRealmDefinition.java
@@ -59,11 +59,13 @@
 import org.jboss.as.controller.StringListAttributeDefinition;
 import org.jboss.as.controller.capability.RuntimeCapability;
 import org.jboss.as.controller.operations.validation.EnumValidator;
+import org.jboss.as.controller.operations.validation.IntRangeValidator;
 import org.jboss.as.controller.operations.validation.StringLengthValidator;
 import org.jboss.as.controller.parsing.ParseUtils;
 import org.jboss.as.controller.registry.AttributeAccess;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
 import org.jboss.as.controller.registry.OperationEntry;
+import org.jboss.as.version.Stability;
 import org.jboss.dmr.ModelNode;
 import org.jboss.dmr.ModelType;
 import org.jboss.msc.service.ServiceBuilder;
@@ -148,6 +150,20 @@ static class JwtValidatorAttributes {
                 .setMinSize(1)
                 .build();
 
+        static final SimpleAttributeDefinition CONNECTION_TIMEOUT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CONNECTION_TIMEOUT, ModelType.INT, true)
+                .setStability(Stability.PREVIEW)
+                .setAllowExpression(true)
+                .setValidator(new IntRangeValidator(0))
+                .setRestartAllServices()
+                .build();
+
+        static final SimpleAttributeDefinition READ_TIMEOUT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.READ_TIMEOUT, ModelType.INT, true)
+                .setStability(Stability.PREVIEW)
+                .setAllowExpression(true)
+                .setValidator(new IntRangeValidator(0))
+                .setRestartAllServices()
+                .build();
+
         static final PropertiesAttributeDefinition KEY_MAP = new PropertiesAttributeDefinition.Builder(ElytronDescriptionConstants.KEY_MAP, true)
                 .setAllowExpression(true)
                 .setMinSize(1)
@@ -171,7 +187,7 @@ public void marshallSingleElement(AttributeDefinition attribute, ModelNode prope
                 .setRestartAllServices()
                 .build();
 
-        static final ObjectTypeAttributeDefinition JWT_VALIDATOR = new ObjectTypeAttributeDefinition.Builder(JWT, ISSUER, AUDIENCE, PUBLIC_KEY, KEY_STORE, CERTIFICATE, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY, KEY_MAP)
+        static final ObjectTypeAttributeDefinition JWT_VALIDATOR = new ObjectTypeAttributeDefinition.Builder(JWT, ISSUER, AUDIENCE, PUBLIC_KEY, KEY_STORE, CERTIFICATE, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY, KEY_MAP, CONNECTION_TIMEOUT, READ_TIMEOUT)
                 .setRequired(false)
                 .setRestartAllServices()
                 .build();
@@ -198,9 +214,23 @@ static class OAuth2IntrospectionValidatorAttributes {
                 .setFlags(AttributeAccess.Flag.RESTART_RESOURCE_SERVICES)
                 .build();
 
-        static final AttributeDefinition[] ATTRIBUTES = new AttributeDefinition[]{CLIENT_ID, CLIENT_SECRET, INTROSPECTION_URL, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY};
+        static final SimpleAttributeDefinition CONNECTION_TIMEOUT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CONNECTION_TIMEOUT, ModelType.INT, true)
+                .setStability(Stability.PREVIEW)
+                .setAllowExpression(true)
+                .setValidator(new IntRangeValidator(0))
+                .setRestartAllServices()
+                .build();
+
+        static final SimpleAttributeDefinition READ_TIMEOUT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.READ_TIMEOUT, ModelType.INT, true)
+                .setStability(Stability.PREVIEW)
+                .setAllowExpression(true)
+                .setValidator(new IntRangeValidator(0))
+                .setRestartAllServices()
+                .build();
+
+        static final AttributeDefinition[] ATTRIBUTES = new AttributeDefinition[]{CLIENT_ID, CLIENT_SECRET, INTROSPECTION_URL, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY, CONNECTION_TIMEOUT, READ_TIMEOUT};
 
-        static final ObjectTypeAttributeDefinition OAUTH2_INTROSPECTION_VALIDATOR = new ObjectTypeAttributeDefinition.Builder(OAUTH2_INTROSPECTION, CLIENT_ID, CLIENT_SECRET, INTROSPECTION_URL, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY)
+        static final ObjectTypeAttributeDefinition OAUTH2_INTROSPECTION_VALIDATOR = new ObjectTypeAttributeDefinition.Builder(OAUTH2_INTROSPECTION, CLIENT_ID, CLIENT_SECRET, INTROSPECTION_URL, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY, CONNECTION_TIMEOUT, READ_TIMEOUT)
                 .setRequired(false)
                 .setRestartAllServices()
                 .build();
@@ -271,6 +301,8 @@ protected void performRuntime(OperationContext context, ModelNode operation, Mod
                 String sslContextRef = SSL_CONTEXT.resolveModelAttribute(context, jwtValidatorNode).asStringOrNull();
                 String hostNameVerificationPolicy = HOSTNAME_VERIFICATION_POLICY.resolveModelAttribute(context, jwtValidatorNode).asStringOrNull();
                 InjectedValue<SSLContext> sslContextInjector = new InjectedValue<>();
+                Integer connectionTimeout = JwtValidatorAttributes.CONNECTION_TIMEOUT.resolveModelAttribute(context, jwtValidatorNode).asIntOrNull();
+                Integer readTimeout = JwtValidatorAttributes.READ_TIMEOUT.resolveModelAttribute(context, jwtValidatorNode).asIntOrNull();
                 ModelNode keyMap = KEY_MAP.resolveModelAttribute(context, jwtValidatorNode);
                 Map<String, PublicKey> namedKeys = new LinkedHashMap<>();
                 if (keyMap.isDefined()) {
@@ -320,6 +352,12 @@ public SecurityRealm get() throws StartException {
                         if (namedKeys.size() > 0) {
                             jwtValidatorBuilder.publicKeys(namedKeys);
                         }
+                        if (connectionTimeout != null) {
+                            jwtValidatorBuilder.connectionTimeout(connectionTimeout);
+                        }
+                        if (readTimeout != null) {
+                            jwtValidatorBuilder.readTimeout(readTimeout);
+                        }
                         KeyStore keyStore = keyStoreInjector.getOptionalValue();
 
                         if (keyStore != null) {
@@ -375,6 +413,8 @@ public void dispose() {
                 String introspectionUrl = OAuth2IntrospectionValidatorAttributes.INTROSPECTION_URL.resolveModelAttribute(context, oAuth2IntrospectionNode).asString();
                 String sslContextRef = SSL_CONTEXT.resolveModelAttribute(context, oAuth2IntrospectionNode).asStringOrNull();
                 String hostNameVerificationPolicy = HOSTNAME_VERIFICATION_POLICY.resolveModelAttribute(context, oAuth2IntrospectionNode).asStringOrNull();
+                Integer connectionTimeout = OAuth2IntrospectionValidatorAttributes.CONNECTION_TIMEOUT.resolveModelAttribute(context, oAuth2IntrospectionNode).asIntOrNull();
+                Integer readTimeout = OAuth2IntrospectionValidatorAttributes.READ_TIMEOUT.resolveModelAttribute(context, oAuth2IntrospectionNode).asIntOrNull();
                 InjectedValue<SSLContext> sslContextInjector = new InjectedValue<>();
 
                 service = new TrivialService<>(new TrivialService.ValueSupplier<SecurityRealm>() {
@@ -389,6 +429,12 @@ public SecurityRealm get() throws StartException {
                                     .tokenIntrospectionUrl(new URL(introspectionUrl))
                                     .useSslContext(sslContextInjector.getOptionalValue())
                                     .useSslHostnameVerifier(verifier);
+                            if (connectionTimeout != null) {
+                                builder.connectionTimeout(connectionTimeout);
+                            }
+                            if (readTimeout != null) {
+                                builder.readTimeout(readTimeout);
+                            }
                             return TokenSecurityRealm.builder().principalClaimName(principalClaimNode.asString())
                                     .validator(builder.build())
                                     .build();
diff --git a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
index 36d6297c7e5..c1a10913818 100644
--- a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
+++ b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
@@ -932,6 +932,8 @@ elytron.token-realm.jwt.key-map=A map of named public keys for token verificatio
 elytron.token-realm.jwt.certificate=The name of the certificate with a public key to load from the key store.
 elytron.token-realm.jwt.client-ssl-context=The SSL context to be used for fetching jku keys using HTTPS.
 elytron.token-realm.jwt.host-name-verification-policy=A policy that defines how host names should be verified when using HTTPS.
+elytron.token-realm.jwt.connection-timeout=The timeout for connecting in milliseconds. A non-zero value specifies the timeout when connecting to a resource. A timeout of zero is interpreted as an infinite timeout.
+elytron.token-realm.jwt.read-timeout=The read timeout in milliseconds. A non-zero value specifies the timeout when reading from Input stream when a connection is established to a resource. A timeout of zero is interpreted as an infinite timeout.
 # OAuth2 Introspection Validator Complex Attribute
 elytron.token-realm.oauth2-introspection=A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validates them using an endpoint compliant with OAuth2 Token Introspection specification(RFC-7662).
 elytron.token-realm.oauth2-introspection.client-id=The identifier of the client on the OAuth2 Authorization Server.
@@ -939,6 +941,8 @@ elytron.token-realm.oauth2-introspection.client-secret=The secret of the client.
 elytron.token-realm.oauth2-introspection.introspection-url=The URL of token introspection endpoint.
 elytron.token-realm.oauth2-introspection.client-ssl-context=The SSL context to be used if the introspection endpoint is using HTTPS.
 elytron.token-realm.oauth2-introspection.host-name-verification-policy=A policy that defines how host names should be verified when using HTTPS. Allowed values: 'ANY'.
+elytron.token-realm.oauth2-introspection.connection-timeout=The timeout for connecting in milliseconds. A non-zero value specifies the timeout when connecting to a resource. A timeout of zero is interpreted as an infinite timeout.
+elytron.token-realm.oauth2-introspection.read-timeout=The read timeout in milliseconds. A non-zero value specifies the timeout when reading from Input stream when a connection is established to a resource. A timeout of zero is interpreted as an infinite timeout.
 
 # Identity management descriptions
 elytron.modifiable-security-realm.add-identity=Add an identity to a security realm.
diff --git a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd
index 10545bd6ff8..045aec6a8e3 100644
--- a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd
+++ b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd
@@ -2042,6 +2042,20 @@
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="connection-timeout" type="xs:integer" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The timeout for connecting in milliseconds. A non-zero value specifies the timeout when connecting to a resource. A timeout of zero is interpreted as an infinite timeout.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="read-timeout" type="xs:integer" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The read timeout in milliseconds. A non-zero value specifies the timeout when reading from Input stream when a connection is established to a resource. A timeout of zero is interpreted as an infinite timeout.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:complexType name="oauth2IntrospectionTokenRealmValidatorType">
@@ -2085,6 +2099,20 @@
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="connection-timeout" type="xs:integer" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The timeout for connecting in milliseconds. A non-zero value specifies the timeout when connecting to a resource. A timeout of zero is interpreted as an infinite timeout.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="read-timeout" type="xs:integer" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The read timeout in milliseconds. A non-zero value specifies the timeout when reading from Input stream when a connection is established to a resource. A timeout of zero is interpreted as an infinite timeout.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:complexType name="dirContextsType">
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml
new file mode 100644
index 00000000000..d84d6ed2912
--- /dev/null
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml
@@ -0,0 +1,396 @@
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+
+<!-- for needs of DomainTestCase -->
+<subsystem xmlns="urn:wildfly:elytron:preview:18.0" register-jaspi-factory="false" default-ssl-context="client">
+    <security-domains>
+        <security-domain name="MyDomain" default-realm="FileRealm" realm-mapper="MyRealmMapper" permission-mapper="MyPermissionMapper"
+                         pre-realm-principal-transformer="NameRewriterXY" post-realm-principal-transformer="NameRewriterYU" trusted-security-domains="AnotherDomain">
+            <realm name="FileRealm" role-decoder="MyRoleDecoder" role-mapper="MyRoleMapper"/>
+            <realm name="PropRealm" principal-transformer="NameRewriterRealmRemover"/>
+        </security-domain>
+        <security-domain name="X500Domain" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoder">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="X500DomainTwo" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoderTwo">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="X500DomainThree" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoderThree">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="X500DomainFour" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoderThree" evidence-decoder="aggregateEvidenceDecoder">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="AnotherDomain" default-realm="PropRealm" permission-mapper="LoginPermissionMapper" trusted-security-domains="MyDomain">
+            <realm name="PropRealm"/>
+        </security-domain>
+        <security-domain name="AggregateRealm" default-realm="PropRealm" role-decoder="aggregateRoleDecoder">
+            <realm name="PropRealm"/>
+        </security-domain>
+        <security-domain name="TestDomain" default-realm="PropRealm" permission-mapper="LoginPermissionMapper" trusted-virtual-security-domains="VirtualDomain">
+            <realm name="PropRealm"/>
+        </security-domain>
+        <virtual-security-domain name="VirtualDomain" outflow-security-domains="MyDomain" outflow-anonymous="true" />
+        <virtual-security-domain name="AnotherVirtualDomain" outflow-security-domains="MyDomain" outflow-anonymous="true" auth-method="OIDC"/>
+    </security-domains>
+    <security-realms>
+        <aggregate-realm name="AggregateOne" authentication-realm="PropRealm" authorization-realm="FileRealm" />
+        <aggregate-realm name="AggregateTwo" authentication-realm="JdbcRealm" authorization-realms="AggregateOne FileRealm" />
+        <jdbc-realm name="NewJdbcScramSha384">
+            <principal-query sql="SELECT" data-source="ExampleDS">
+                <scram-mapper algorithm="scram-sha-384" password-index="1" salt-index="2" iteration-count-index="10000"/>
+            </principal-query>
+        </jdbc-realm>
+        <jdbc-realm name="NewJdbcScramSha512">
+            <principal-query sql="SELECT" data-source="ExampleDS">
+                <scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
+            </principal-query>
+        </jdbc-realm>
+        <jdbc-realm name="JdbcRealm">
+            <principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
+                <attribute-mapping>
+                    <attribute index="1" to="role"/>
+                </attribute-mapping>
+                <clear-password-mapper password-index="2"/>
+                <bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
+                <salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
+                <simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
+                <scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
+                <modular-crypt-mapper password-index="2"/>
+            </principal-query>
+        </jdbc-realm>
+        <properties-realm name="PropRealm">
+            <users-properties path="users-hashed.properties" relative-to="jboss.server.config.dir"/>
+        </properties-realm>
+        <properties-realm name="NonDomainRealm">
+            <users-properties path="users-hashed.properties" relative-to="jboss.server.config.dir"/>
+        </properties-realm>
+        <filesystem-realm name="FileRealm" levels="2" encoded="false">
+            <file path="filesystem-realm" relative-to="jboss.server.config.dir"/>
+        </filesystem-realm>
+        <distributed-realm name="DistributedRealm" realms="FileRealm PropRealm"/>
+        <failover-realm name="FailoverRealm" delegate-realm="JdbcRealm" failover-realm="PropRealm"/>
+    </security-realms>
+    <credential-security-factories>
+        <custom-credential-security-factory name="CustomFactory" module="a.b.c" class-name="org.wildfly.security.ElytronFactory">
+            <configuration>
+                <property name="a" value="b"/>
+                <property name="c" value="d"/>
+            </configuration>
+        </custom-credential-security-factory>
+
+        <kerberos-security-factory name="KerberosFactory"
+                                   principal="bob@Elytron.org"
+                                   path="bob.keytab"
+                                   relative-to="server.config.dir"
+                                   minimum-remaining-lifetime="10"
+                                   request-lifetime="120"
+                                   server="false"
+                                   obtain-kerberos-ticket="true"
+                                   debug="true"
+                                   wrap-gss-credential="true"
+                                   required="true"
+                                   mechanism-names="KRB5 KRB5LEGACY"
+                                   mechanism-oids="1.2.840.113554.1.2.2 1.3.6.1.5.5.2">
+            <option name="a" value="b"/>
+            <option name="c" value="d"/>
+        </kerberos-security-factory>
+        <kerberos-security-factory name="OptionLessKerberosFactory"
+                                   principal="bob@Elytron.org"
+                                   path="bob.keytab"
+                                   relative-to="server.config.dir"
+                                   minimum-remaining-lifetime="10"
+                                   request-lifetime="120"
+                                   server="false"
+                                   obtain-kerberos-ticket="true"
+                                   debug="true"
+                                   wrap-gss-credential="true"
+                                   mechanism-oids="1.2.840.113554.1.2.2 1.3.6.1.5.5.2"/>
+    </credential-security-factories>
+    <mappers>
+        <custom-permission-mapper class-name="org.wildfly.extension.elytron.DomainTestCase$MyPermissionMapper" name="MyPermissionMapper" module="a.b.c"/>
+        <custom-permission-mapper class-name="org.wildfly.extension.elytron.DomainTestCase$LoginPermissionMapper" name="LoginPermissionMapper" module="a.b.c"/>
+        <simple-permission-mapper name="SimplePermissionMapperLegacy" mapping-mode="and">
+            <permission-mapping>
+                <principal name="John"/>
+                <principal name="Joe"/>
+                <role name="User"/>
+                <role name="Administrator"/>
+                <permission class-name="a.b.MyPermission"/>
+                <permission class-name="a.b.MyOtherPermission" target-name="../c" action="delete"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="John Doe"/>
+                <permission class-name="a.b.JohnPermission"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="User"/>
+                <permission class-name="a.b.UserPermission"/>
+            </permission-mapping>
+            <permission-mapping match-all="true"/>
+        </simple-permission-mapper>
+        <simple-permission-mapper name="SimplePermissionMapper" mapping-mode="and">
+            <permission-mapping>
+                <principal name="John"/>
+                <principal name="Joe"/>
+                <role name="User"/>
+                <role name="Administrator"/>
+                <permission class-name="a.b.MyPermission" />
+                <permission-set name="my-permissions"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="John Doe"/>
+                <permission-set name="john-permissions"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="User"/>
+                <permission-set name="user-permissions"/>
+            </permission-mapping>
+            <permission-mapping match-all="true"/>
+        </simple-permission-mapper>
+        <constant-permission-mapper name="ConstantPermissionMapperLegacy">
+            <permission class-name="a.b.UserPermission"/>
+        </constant-permission-mapper>
+        <constant-permission-mapper name="ConstantPermissionMapper">
+            <permission-set name="user-permissions"/>
+        </constant-permission-mapper>
+        <concatenating-principal-decoder joiner="@" name="MyX500PrincipalDecoderThree">
+            <principal-decoder name="MyCnDecoder"/>
+            <principal-decoder name="MyDcDecoder"/>
+        </concatenating-principal-decoder>
+        <x500-attribute-principal-decoder joiner="," maximum-segments="6" name="MyX500PrincipalDecoder" oid="2.5.4.3"/>
+        <x500-attribute-principal-decoder joiner="," maximum-segments="1" name="MyX500PrincipalDecoderTwo" oid="2.5.4.3" required-oids="2.5.4.3 2.5.4.11"
+                                          required-attributes="cN" reverse="true"
+                                          start-segment="2"/>
+        <x500-attribute-principal-decoder maximum-segments="1" name="MyCnDecoder" attribute-name="Cn" start-segment="1"/>
+        <x500-attribute-principal-decoder name="MyDcDecoder" oid="0.9.2342.19200300.100.1.25"/>
+        <regex-principal-transformer name="NameRewriterXY" pattern="x(.*)" replacement="y$1"/>
+        <regex-principal-transformer name="NameRewriterYU" pattern="y(.*)" replacement="u$1"/>
+        <regex-principal-transformer name="NameRewriterRealmRemover" pattern="(.*)@.*" replacement="$1"/>
+        <simple-regex-realm-mapper name="MyRealmMapper" pattern=".*@(.*)"/>
+        <simple-role-decoder attribute="roles" name="MyRoleDecoder"/>
+        <add-prefix-role-mapper name="RolePrefixer" prefix="prefix"/>
+        <add-suffix-role-mapper name="RoleSuffixer" suffix="suffix"/>
+        <aggregate-role-mapper name="MyRoleMapper">
+            <role-mapper name="RolePrefixer"/>
+            <role-mapper name="RoleSuffixer"/>
+        </aggregate-role-mapper>
+        <mapped-role-mapper name="MappedRoleMapper" keep-mapped="false" keep-non-mapped="true">
+            <role-mapping from="Admin" to="Administrator"/>
+            <role-mapping from="foo" to="bar baz"/>
+        </mapped-role-mapper>
+        <x500-subject-evidence-decoder name="subjectDecoder" />
+        <x509-subject-alt-name-evidence-decoder name="rfc822Decoder" alt-name-type="rfc822Name" segment="1" />
+        <custom-evidence-decoder name="customEvidenceDecoder" class-name="org.wildfly.elytron.CustomEvidenceDecoder" module="l.m" />
+        <aggregate-evidence-decoder name="aggregateEvidenceDecoder">
+            <evidence-decoder name="rfc822Decoder"/>
+            <evidence-decoder name="subjectDecoder"/>
+        </aggregate-evidence-decoder>
+        <source-address-role-decoder name="ipRoleDecoder" source-address="10.12.14.16" roles="admin user"/>
+        <source-address-role-decoder name="regexRoleDecoder" pattern="10\.12\.14\.\d+$" roles="employee"/>
+        <aggregate-role-decoder name="aggregateRoleDecoder">
+            <role-decoder name="ipRoleDecoder"/>
+            <role-decoder name="regexRoleDecoder"/>
+        </aggregate-role-decoder>
+    </mappers>
+    <permission-sets>
+        <permission-set name="my-permissions">
+            <permission class-name="a.b.MyPermission" />
+            <permission class-name="a.b.MyOtherPermission" target-name="../c" action="delete" />
+        </permission-set>
+        <permission-set name="john-permissions">
+            <permission class-name="a.b.JohnPermission" />
+        </permission-set>
+        <permission-set name="user-permissions">
+            <permission class-name="a.b.UserPermission" />
+        </permission-set>
+    </permission-sets>
+    <sasl>
+        <sasl-authentication-factory name="SaslAuthenticationDefinition" security-domain="MyDomain" sasl-server-factory="ConfigurableSaslServerFactory">
+            <mechanism-configuration>
+                <mechanism mechanism-name="PLAIN" pre-realm-principal-transformer="PreRealmNameRewriter" post-realm-principal-transformer="PostRealmNameRewriter"
+                           final-principal-transformer="FinalNameRewriter" realm-mapper="RegexMapper">
+                    <mechanism-realm realm-name="Test Realm" pre-realm-principal-transformer="PreRealmNameRewriter_II"
+                                     post-realm-principal-transformer="PostRealmNameRewriter_II" final-principal-transformer="FinalNameRewriter_II"
+                                     realm-mapper="RegexMapper_II"/>
+                </mechanism>
+            </mechanism-configuration>
+        </sasl-authentication-factory>
+        <sasl-authentication-factory name="KerberosHttpMgmtSaslTestCase" sasl-server-factory="KerberosHttpMgmtSaslTestCase"
+                                     security-domain="KerberosHttpMgmtSaslTestCase">
+            <mechanism-configuration>
+                <mechanism mechanism-name="GSSAPI" credential-security-factory="KerberosHttpMgmtSaslTestCase">
+                    <mechanism-realm realm-name="KerberosHttpMgmtSaslTestCase" />
+                </mechanism>
+                <mechanism mechanism-name="GS2-KRB5" credential-security-factory="KerberosHttpMgmtSaslTestCase">
+                    <mechanism-realm realm-name="KerberosHttpMgmtSaslTestCase" />
+                </mechanism>
+                <mechanism mechanism-name="GS2-KRB5-PLUS" credential-security-factory="KerberosHttpMgmtSaslTestCase">
+                    <mechanism-realm realm-name="KerberosHttpMgmtSaslTestCase" />
+                </mechanism>
+            </mechanism-configuration>
+        </sasl-authentication-factory>
+        <aggregate-sasl-server-factory name="AggregateSaslFactory">
+            <sasl-server-factory name="ProviderSaslFactory"/>
+            <sasl-server-factory name="ServiceSaslFactory"/>
+        </aggregate-sasl-server-factory>
+        <configurable-sasl-server-factory name="ConfigurableSaslServerFactory" server-name="server" protocol="test-protocol" sasl-server-factory="MechFiltering">
+            <properties>
+                <property name="a" value="b"/>
+                <property name="c" value="d"/>
+            </properties>
+            <filters>
+                <filter enabling="false" pattern="x"/>
+                <filter enabling="false" predefined="HASH_MD5"/>
+            </filters>
+        </configurable-sasl-server-factory>
+        <mechanism-provider-filtering-sasl-server-factory name="MechFiltering" sasl-server-factory="AggregateSaslFactory" enabling="false">
+            <filters>
+                <filter mechanism-name="Digest" provider-name="Sun" provider-version="1.5" version-comparison="greater-than"/>
+                <filter mechanism-name="Scram" provider-name="Sun" provider-version="1.5" version-comparison="greater-than"/>
+            </filters>
+        </mechanism-provider-filtering-sasl-server-factory>
+        <provider-sasl-server-factory name="ProviderSaslFactory" providers="TestProviderLoader"/>
+        <service-loader-sasl-server-factory name="ServiceSaslFactory" module="a.b.c"/>
+    </sasl>
+    <tls>
+        <key-stores>
+            <key-store name="PKCS_11">
+                <credential-reference clear-text="password"/>
+                <implementation type="PKCS#11" provider-name="SunPKCS#11"/>
+            </key-store>
+            <key-store name="jks_store" alias-filter="one,two,three">
+                <credential-reference clear-text="password"/>
+                <implementation type="jks"/>
+                <file relative-to="jboss.server.config.dir" path="keystore.jks" required="true"/>
+            </key-store>
+            <key-store name="jceks_store">
+                <credential-reference clear-text="password"/>
+                <implementation type="jceks"/>
+                <file relative-to="jboss.server.config.dir" path="keystore.jceks"/>
+            </key-store>
+            <key-store name="Custom_PKCS_11">
+                <credential-reference clear-text="password"/>
+                <implementation type="PKCS#11" provider-name="SunPKCS#11" providers="custom-loader"/>
+            </key-store>
+            <key-store name="accounts.keystore">
+                <credential-reference clear-text="elytron"/>
+                <implementation type="JKS"/>
+                <file path="accounts.keystore.jks" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <key-store name="test.keystore">
+                <credential-reference clear-text="elytron"/>
+                <implementation type="PKCS12"/>
+                <file path="test.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <filtering-key-store name="FilteringKeyStore" key-store="Custom_PKCS_11" alias-filter="NONE:+firefly"/>
+        </key-stores>
+        <key-managers>
+            <key-manager name="serverKey" algorithm="SunX509" key-store="jks_store">
+                <credential-reference clear-text="password"/>
+            </key-manager>
+            <key-manager name="serverKey2" algorithm="SunX509" key-store="jks_store" providers="custom-loader" provider-name="first">
+                <credential-reference store="credstore1" alias="password-alias" type="PasswordCredential"/>
+            </key-manager>
+            <key-manager name="clientKey" algorithm="SunX509" key-store="jks_store">
+                <credential-reference store="credstore1" alias="password-alias" type="PasswordCredential"/>
+            </key-manager>
+            <key-manager name="LazyKeyManager" key-store="test.keystore" generate-self-signed-certificate-host="localhost">
+                <credential-reference clear-text="elytron"/>
+            </key-manager>
+        </key-managers>
+        <trust-managers>
+            <trust-manager name="serverTrust" algorithm="SunX509" key-store="jks_store"/>
+            <trust-manager name="serverTrust2" algorithm="SunX509" key-store="jks_store" providers="custom-loader" provider-name="first"/>
+            <trust-manager name="trust-with-crl" algorithm="SunX509" key-store="jks_store">
+                <certificate-revocation-list path="crl.pem" relative-to="jboss.server.config.dir" maximum-cert-path="2"/>
+            </trust-manager>
+            <trust-manager name="trust-with-crl-dp" algorithm="SunX509" key-store="jks_store">
+                <certificate-revocation-list/>
+            </trust-manager>
+            <trust-manager name="trust-with-ocsp" algorithm="PKIX" key-store="jks_store">
+                <ocsp responder="http://localhost/ocsp" responder-keystore="jceks_store" responder-certificate="responder-alias"/>
+            </trust-manager>
+        </trust-managers>
+        <server-ssl-contexts>
+            <server-ssl-context name="server" protocols="TLSv1.2" want-client-auth="true" need-client-auth="true" authentication-optional="true"
+                                use-cipher-suites-order="false" maximum-session-cache-size="10"
+                                session-timeout="120" wrap="false" key-manager="serverKey" trust-manager="serverTrust" pre-realm-principal-transformer="a"
+                                post-realm-principal-transformer="b" final-principal-transformer="c" realm-mapper="d" providers="custom-loader" provider-name="first"/>
+            <server-ssl-context name="server2" protocols="TLSv1.2" want-client-auth="true" need-client-auth="true" authentication-optional="true"
+                                use-cipher-suites-order="false" maximum-session-cache-size="10"
+                                session-timeout="120" wrap="false" key-manager="serverKey" trust-manager="serverTrust" pre-realm-principal-transformer="a"
+                                post-realm-principal-transformer="b" final-principal-transformer="c" realm-mapper="d" providers="custom-loader" provider-name="first"/>
+        </server-ssl-contexts>
+        <client-ssl-contexts>
+            <client-ssl-context name="client" protocols="TLSv1.3 TLSv1.2" key-manager="clientKey" trust-manager="serverTrust" providers="custom-loader"
+                                provider-name="first"/>
+        </client-ssl-contexts>
+        <certificate-authorities>
+            <certificate-authority name="testCA" url="https://www.test.com"/>
+        </certificate-authorities>
+        <certificate-authority-accounts>
+            <certificate-authority-account name="MyCA" certificate-authority="LetsEncrypt">
+                <account-key key-store="accounts.keystore" alias="server">
+                    <credential-reference clear-text="elytron"/>
+                </account-key>
+            </certificate-authority-account>
+            <certificate-authority-account name="MyCA2" certificate-authority="testCA">
+                <account-key key-store="accounts.keystore" alias="server">
+                    <credential-reference clear-text="elytron"/>
+                </account-key>
+            </certificate-authority-account>
+        </certificate-authority-accounts>
+        <server-ssl-sni-contexts>
+            <server-ssl-sni-context name="sni" default-ssl-context="server">
+                <sni-mapping host="server" ssl-context="server" />
+                <sni-mapping host=".*\.server" ssl-context="server2" />
+            </server-ssl-sni-context>
+        </server-ssl-sni-contexts>
+    </tls>
+    <credential-stores>
+        <credential-store name="test1" relative-to="jboss.server.data.dir" location="test1.store" create="true">
+            <implementation-properties>
+                <property name="keyStoreType" value="JCEKS"/>
+                <property name="keyAlias" value="adminKey"/>
+            </implementation-properties>
+            <credential-reference clear-text="secret2"/>
+        </credential-store>
+        <credential-store name="test2" relative-to="jboss.server.data.dir" modifiable="true">
+            <credential-reference store="test1" alias="to_open_test2"/>
+        </credential-store>
+        <credential-store name="test4" relative-to="jboss.server.data.dir" path="test1.store" create="true">
+            <credential-reference clear-text="secret2"/>
+        </credential-store>
+        <secret-key-credential-store name="test3" relative-to="jboss.server.data.dir" path="test3.cs" create="false" populate="false" key-size="192" default-alias="test3" />
+    </credential-stores>
+    <expression-resolver default-resolver="A" prefix="G">
+        <resolver name="A" credential-store="test1" secret-key="C"/>
+        <resolver name="D" credential-store="test2" secret-key="F"/>
+    </expression-resolver>
+    <jaspi>
+        <jaspi-configuration name="test" layer="HttpServlet" application-context="default /test" description="Test Definition">
+            <server-auth-modules>
+                <server-auth-module class-name="org.wildfly.Test" module="org.test" flag="REQUISITE">
+                    <options>
+                        <property name="a" value="b"/>
+                        <property name="c" value="d"/>
+                    </options>
+                </server-auth-module>
+                <server-auth-module class-name="org.wildfly.Test2" module="org.test2" flag="SUFFICIENT">
+                    <options>
+                        <property name="e" value="f"/>
+                        <property name="g" value="h"/>
+                    </options>
+                </server-auth-module>
+            </server-auth-modules>
+        </jaspi-configuration>
+        <jaspi-configuration name="minimal">
+            <server-auth-modules>
+                <server-auth-module class-name="org.wildfly.Test3" />
+            </server-auth-modules>
+        </jaspi-configuration>
+    </jaspi>
+</subsystem>