The design of the Security External module depends on undefined behaviour of alternatives. It defines alternatives (*ApplicationScopeProducer and *VirtualApplicationScopeProducer) in the module and expects the application to set the alternatives in its beans.xml, which isn't supported by CDI spec (see
CDI-18) and doesn't seem to work anywhere except JBoss AS 6.
We should probably just remove the Producers and make the beans @ApplicationScoped directly. Users interested in changing the scope of those beans could still use Seam Config for that.