As we move onto the next stages of removing the security subsystem and combined with the desire that are default configurations can be provisioned exclusively using layers I need to revisit the Undertow layers and check what is desirable. Firstly we have the layer "undertow" - this layer does not depend on any security. I think this is correct, at the lowest level a server could be serving up content that does not require any of the services provided by WildFly Elytron. We then have a layer "undertow-https", this adds a https listener to the Undertow subsystem and in turn depends on the SSLContext capability from WildFly Elytron. For the Undertow subsystem we then can add a HTTP invoker although this is really used for EJB invocations, I was considering a layer like "undertow-invoker" - but maybe "ejb-http-invoker" may be more suitable. This layer in turn would depend on Elytron capabilities to provide authentication. The final missing piece is the default configurations now need to contain "application-security-domain" mappings. I am thinking for now to not include these in a layer. Later we want to make the use of these resources optional so it is only temporary that they will be required in the default configuration. -- Darran Lofthouse Red Hat <https://www.redhat.com/> darran.lofthouse(a)jboss.com <https://www.redhat.com/>