The TomcatDeployer as a securityManagerService that is set using injection of the jboss.security:service=JaasSecurityManager mbean. There is just propagated down to the deployment. It should be a dependency inject setup in the deployment based on the name. We seem to already have a duplicate injection setting coming from the securityManagementName which is already injected in the deployment. The securityManagerService should just be dropped from the deployer.