Basic authentication is enabled by default if a request has Authorization request header

Issue

• Basic autnentication is enabled by default if a request has Authorization request header. Our application does not have <login-config> in web.xml hence enabling Basic authentication is not expected. How do we disable Basic autnentication?
• We do not intend to enable Basic authentication, but the application returns 401 Unauthrorized.
• This issue only happens if we use elytron instead of regacy security. standalone.xml is changed by jboss-eap-7.4/docs/examples/enable-elytron-se17.cli to run JBoss EAP 7.4 with OpenJDK17. The undertow subsystem settings are as the following:

<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
    <buffer-cache name="default"/>
    <server name="default-server">
        <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
        <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
        <host name="default-host" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <http-invoker http-authentication-factory="application-http-authentication"/>
        </host>
    </server>
    <servlet-container name="default">
        <jsp-config/>
        <websockets/>
    </servlet-container>
    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>
    <application-security-domains>
        <application-security-domain name="other" security-domain="ApplicationDomain"/>
    </application-security-domains>
</subsystem>

• Application authentication setting is overridden by Elytron even though attribute override-deployment-config=false is in <application-security-domain> tag.