The next target we need to tackle is the org.picketbox module, this step will involve some work within each of the affected components.  We need to reach the point that all other module dependencies on this one are also optional so it is only provisioned when the legacy security subsystem is provisioned.

At the top level this is being tracked under:

  https://issues.redhat.com/browse/WFLY-13889

For the individual subsystems I have split out a set of tasks so they can be tackled individually:

  - Messaging - https://issues.redhat.com/browse/WFLY-14752

  - IIOP - https://issues.redhat.com/browse/WFLY-13679

  - Web Services - https://issues.redhat.com/browse/WFLY-14841

  - JCA - https://issues.redhat.com/browse/WFLY-14842

  - EJB3 - https://issues.redhat.com/browse/WFLY-14843

 - Application Client - https://issues.redhat.com/browse/WFLY-14844

 - security-api / security-integration - https://issues.redhat.com/browse/WFLY-14845

I have left these unassigned by default so we can see when they have been picked up.

Some of these may be more complicated than others so the most urgent task is to identify where we think we are going to run into problems so we can define a solution.

Some solutions could include:

 - Moving utility code to WildFly Elytron or some other common project.

 - Forking utility code to a private implementation in the project that needs it.

 - For anything affecting deployments using capabilities to check if legacy security is present.

 - Any optional use of legacy security should be disabled from Java 13 and later.

 - Other solutions to be developed.

This specific task is not about changing the default configuration to move on from legacy security.  Once this step is complete we will be ready to start adjusting the default configuration to eliminate legacy security.

Regards,

Darran Lofthouse.