[ https://issues.redhat.com/browse/WFLY-13679?page=com.atlassian.jira.plugi... ] Brian Stansberry commented on WFLY-13679: ----------------------------------------- I've been poking a bit and I see four things to look into, although there may be more: 1) The module depends on org.jboss.as.security, which afaict is not necessary. If so that's an easy fix. 2) If the 'security-domain' attribute is set, then the legacy security domain from the legacy security subsystem is required. But there is a proper capability reference there, so that should be fine. The LegacySSLSocketFactory use of org.jboss.security (i.e. picketbox) would only come into play if that attribute is set, so *that use* of picketbox could be marked as optional. 3) TrustedIdentityTokenLoginModule uses picketbox but AFAICT that class is unused and can be removed, so it doesn't drove a non-optional dep on the picketbox module. 4) The problematic bit is SASClientIdentityInterceptor which uses Picketbox. AFAICT it is used if the 'security' attribute is set to 'identity'. That is not the default value for the AttributeDefinition, but it is the standard value in our configuration, and any iiop layer that uses the standard 'iiop-openjdk' feature-group would also set that value. I think that would be wrong for a layer, as any such layer would be required to depend on the legacy security subsystem to function properly, I believe. If 'identity' was not a default value nor a standard value then perhaps the module.xml could treat the org.picketbox module dependency as optional. Galleon has no hook to ensure legacy security is provisioned though if the user sets the value to 'identity'. -- This message was sent by Atlassian Jira (v7.13.8#713008)