Actually I think a better model would be:
<security>
<security-management security-management-class-name="org.jboss.as.security.plugins.JNDIBasedSecurityManagement">
<authentication authentication-manager-class-name="org.jboss.security.plugins.auth.JaasSecurityManagerBase" deep-copy-subject-mode="false" default-callback-handler-class-name="org.jboss.security.auth.callback.JBossCallbackHandler"/>
<authorization authorization-manager-class-name="org.jboss.security.plugins.JBossAuthorizationManager"/>
</security-management>
<subject-factory subject-factory-class-name="org.jboss.as.security.plugins.JBossSecuritySubjectFactory"/>
</security>
This way we can start a separate service for the ISecurityManagement interface and make other services depend on it, like the subject factory for instance.
I will also work on a sub element of security for the authentication cache.
I need some ideas on where to model the configuration for the security domains. Maybe we should just get rid of login-config.xml and map the security domains directly in the domain model. What do you think? We could start the container with only the "other" configuration and let each application deploy it's own security domain configuration.