Firstly we have the layer "undertow" - this layer does not depend on any security.  I think this is correct, at the lowest level a server could be serving up content that does not require any of the services provided by WildFly Elytron.

We then have a layer "undertow-https", this adds a https listener to the Undertow subsystem and in turn depends on the SSLContext capability from WildFly Elytron.

For the Undertow subsystem we then can add a HTTP invoker although this is really used for EJB invocations, I was considering a layer like "undertow-invoker" - but maybe "ejb-http-invoker" may be more suitable.  This layer in turn would depend on Elytron capabilities to provide authentication.

The final missing piece is the default configurations now need to contain "application-security-domain" mappings.  I am thinking for now to not include these in a layer.  Later we want to make the use of these resources optional so it is only temporary that they will be required in the default configuration.
--