(See email titled "changes / deprecation in security subsystem in EAP7" from December 2015 between Bilge, Darran, Bolek, Divya.)

Summary:
Ensure that customers on EAP 7.0 can migrate over without forcing them to re-work their applications.

Ensure that EAP 7.0 configuration and deployments will be usable on EAP 7.1 without change. For customers in this situation switching to Elytron is optional as and when they are ready to migrate applications.

Once an application is migrated to Elytron provide a level of compatibility where a pre-existing security domain can expose itself as an Elytron security realm and it can be used with an Elytron configuration for username / password based authentication.

Generally our implementation and integration will support one or the other or both in parallel. Those users would certainly need something to help them add the Elytron subsystem definition so they can transition as they are ready.

The new users/apps starting from EAP 7.1 will then be encouraged to use the new Elytron based approach. But, unlike other replacement projects (web, messaging) we are in a situation where both old and new will be running completely in parallel.

In EAP 7.1, Elytron would also be providing a replacement vault implementation but both old (EAP 6.4 and EAP 7.0) and new will be available and supported.

There will be JAAS Login Modules compatibility (they will continue to work)
The EAP 7.0 security domains will work.There will be migration path (such as CLI Migration operations for subsystem configuration) for the areas that require migration; keystore definition etc.

Migration Guide Documentation (The Migration Guide Documentation needs to address migration to EAP 7.1 from EAP 6.4 and EAP 7.0 both of which uses PicketBox as the underlying Security Implementation)