That limitation really sucks when you have two apps like we do that have different
authentication requirements. Our customer app authenticates against one LDAP database
while our admin app authenticates against our company LDAP.
If we put both authentication providers in the same realm, what happens if we
get a customer who signs up with a username that's the same as an admin's? The
customer could theoretically have access to the admin app.
And if there's only one active realm, what's the point of having the ability to
create multiple security realms?