The authentication / group loading interaction with security realms is a multi-step process, strictly speaking the realm is not actually involved in making the 'authenticated' decision - instead the callbacks allow the entry point to make that decision.

As it is a multi-step process it is beneficial to cache resources between the steps e.g. connections to servers containing the actual users.

As a bare minimum we need the 'org.jboss.as.domain.management.AuthorizingCallbackHandler' interface to have a method which is called to indicate that clean up can and should occur.