At present in WildFly upstream, the security manager is only installed
when the security manager subsystem installation commences, leading to
PRs like this one  being rejected. However, feedback from various
quarters indicates that this relatively late installation may not be
acceptable for a couple different reasons. The current EAP version
supports using the -secmgr flag to the start scripts to tell the
bootstrap to install the security manager via jboss-modules' discovery
process, which happens at the very beginning of process start.
I'm thinking maybe we should bring this functionality forward, resurrect
#175, and modify the security manager subsystem to attach to the
currently installed security manager. This is also more friendly to
embedded processes; we should support (for example) permission
specification in deployments even if we don't directly control the
security manager. This also allows the security manager subsystem to
run even if no security manager is installed, so validation of
permissions.xml (for example) will still take place.