At present jboss-web takes one security-domain and potentially many virtual-host configurations such that one webapp is deployed to many virtual hosts with the same security domain. For websites with multiple regions, it often makes sense to use DIFFERENT security domains for each virtual host.

Today we can have only

jboss-web
security-association
virtual-host

Ideally we could have

jboss-web
virtual-host
security-association
virtual-host
security-association

Or:

jboss-web
security-association
virtual-host
security-association
virtual-host
security-association

where the virtual host security-associations would override the parent.

In tomcat/src/main/org/jboss/web/tomcat/service/TomcatDeployer.xml the performDeployInternal happens ALREADY for each hostname. At present it uses ONE SecurityAssociationValve for all virtual hosts and the securityassociationvalve is configured with the metaData.getSecurityDomain(). This could instead be a seperate SecurityAssociationValve for each host with the securitydomain as an argument (used to flush the authentication cache). Elsewhere, the ENC/security/security-domain is used. This instead could be the ENC/security/vhost/security-domain or securityMgr (they ultimately are the same thing in server/src/main/org/jboss/web/AbstractWebDeployer).

The trickiest piece isn't the server code, this would require some refactoring but doing the descriptor in an adequate but backward compatible way. <virtual-host>hostname</virtual-host> becomes <virtual-host>xxx</virtual-host><security-domain>domain</security-domain> or something like that. Ideally it would be <virtual-host>xxx<security-domain>xxx</security-domain></virtual-host> for clarity.