Wildfly 27: No error or warning in case of incorrect security domain specified in web.xml / jboss-web.xml

Question

We use BASIC authentication for a REST API of a WAR deployment (running in Wildfly 27). Wildfly has been configured accordingly and web.xml / jboss-web.xml refers to the corresponding application-security-domain in the undertow subsystem:

web.xml

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Secured</web-resource-name>
      <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
      <role-name>FooRole</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>bar-security-domain</realm-name>
</login-config>

jboss-web.xml

<jboss-web>
  <security-domain>bar-security-domain</security-domain>
</jboss-web>

standalone-full.xml

<application-security-domain name="bar-security-domain" http-authentication-factory="foobar-auth"/>

With that configuration everything works fine (access only with valid user credentials) but what irritated me during the setup: If a security-domain is specified in web.xml / jboss-web.xml which does not exist as an application-security-domain in the undertow-subsystem (e.g. due to a typo or the security-domain from the elytron-subsystem is mistakenly referenced instead of the application-security-domain from the undertow-subsystem), the application can be used without any authentication even thought no default-security-domain is defined in our undertow configuration.

I would expect:

• An error that the security domain specified in web.xml / jboss-web.xml was not found or at least a warning that a fallback is being used.
• That the security domain assigned to the application can be traced in the HAL. --> I have not been able to find either of these anywhere so far.

Questions:

• Is it possible to determine which security-domain is assigned to an application in Wildfly at runtime?
• Is it a bug or feature that there is no error/warning in case of incorrect security domain in web.xml / jboss-web.xml (e.g. to be able to flexibly activate/deactivate the security domain via configuration in standalone-full.xml)?
• Is there a configuration option to generate a error/warning in the event of an incorrect security domain in web.xml / jboss-web.xml?