1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) setup http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) setup authentication-client: <authentication-client> <authentication-configuration name= "authConfig" authentication-name= "admin" host= "localhost" protocol= "remote+http" port= "9990" > <credential-reference clear-text= "pass@123" /> </authentication-configuration> <authentication-context name= "authCtx" > <match-rule authentication-configuration= "authConfig" /> </authentication-context> </authentication-client> 4) setup authCtx as default-authentication-context: <subsystem xmlns= "urn:wildfly:elytron:1.0" default -authentication-context= "authCtx" final -providers= "combined-providers" > 5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments) 6) Access: http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it will failed ( execution failed is printed). http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=localhost&port=9990 - it will passed ( admin is printed). It means that protocol configured on ModelControllerClient has been used instead of protocol configured in default-authentication-context (in correct behavior, it should be independent on paramater protocol because protocol is configured in default-authentication-context. 7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.