Run add-user command inside bin folder to add an application user.
Run wildfly with the provided standalone-full-text.xml.
Deploy the provided ee-security.war.
Make a get request to http://localhost:8080/ee-security/secured (via browser or curl) and specify X-Username and X-Password headers with the previously chosen values.
A JSESSIONID is returned and can be used instead of X-Username and X-Password to stay logged in.
If you reboot the application server the JSESSIONID is no more valid and you need to login again.
The war is built from this official example :
But it has been modified to have @AutoApplySession annotation on the TestAuthenticationMechanism.
Anyway I also attached the source.
This issue affects both HA and non HA profiles.
In the provided standalone.xml HttpSessions are persisted via jdbc-store using an h2 file datasource.
I also reproduced the issue with mysql datasources.
I don't know what broke this, but for sure this worked previously on Wildfly 21 using old pickebox/legacy security subsystem.