The security fraction brings in the security subsystem, which allows defining custom security domains. I'm playing with the servlet-security EAP quickstart which is doing exactly that – it contains a CLI script that creates a security domain, but for that, the security fraction is required.
I can of course include it manually, but I wonder if there are cases when the security fraction should be autodetected, such as presence of the javax.annotation.security annotations, or possibly presence of security-related elements in web.xml and/or jboss-web.xml. Thoughts?
(Actually a lot of fractions bring in security transitively, but not all of them. For example jaxrs, datasources or jpa do bring it in, but undertow doesn't. So I think this would still be valuable.)