Ideally the container will only have the "other" security domain configured in the domain xml. All applications would install their own security domain along with the files required for them. This way the property files will be available in the classpath of every host.