So one thing I'm still wondering about is what the intended use case is for modules like "org.jboss.as.web.security.jaspi.modules.HTTPBasicServerAuthModule".
Those are not the default (and as you just explained, will probably not become default anytime soon), but the user can activate them. Since the same functionality is also provided by the traditional modules, why would a user want to use "org.jboss.as.web.security.jaspi.modules.HTTPBasicServerAuthModule"?