Currently, the automatic creation of a virtual SecurityDomain doesn't happen until processing a deployment. This can be problematic when we have two deployments, say EAR#1 and EAR#2, where:

• We want to secure an EJB in EAR#2 with the same virtual security domain that was used to secure a servlet from EAR #1.

AND

• EAR#1 depends on EAR#2 being deployed first.

EAR#2 needs the virtual SecurityDomain that's used to secure EAR#1 in order for deployment to succeed (since EJBSecurityDomainService#start relies on the SecurityDomain being available, it's not enough for just the virtual-security-domain resource to have been defined).

Currently, the automatic creation of a virtual SecurityDomain doesn't happen until processing a deployment. Thus, if EAR#2 needs to be deployed before EAR#1, the virtual SecurityDomain associated with EAR#1 won't be available yet.

We need to ensure a virtual SecurityDomain is created if necessary when an EJB references a virtual security domain.

With this change, a test should also be added to OidcIdentityPropagationTestCase to ensure that an EJB in EAR#2 can successfully use a @SecurityDomain annotation to specify that it should be secured using the same virtual security domain used for EAR#1.