Elasticsearch's X-Pack security extensions offer the ability to develop custom security realms and roles providers, enhancing the built-in authentication and authorization capabilities for diverse authentication mechanisms. With version 6.3, these extensions are now treated as standard Elasticsearch plugins, allowing them to overcome previous limitations such as classloader issues and enabling them to implement various plugin interfaces. This change introduces the SecurityExtension interface, which simplifies the conversion of existing extensions and facilitates new development. A practical example discussed is a custom security extension designed for a hypothetical eCommerce platform, which dynamically generates roles based on store-specific data without requiring manual role definitions. This extension uses cryptographic signatures to authenticate users via custom HTTP headers, ensuring secure and efficient access control across multiple independent stores. The described security extension is illustrative, providing a comprehensive example for developers to learn from, although it is not production-ready due to the absence of tests and limited error handling.