In the current implementation the "default" SecurityProvider is a SecurityProvider (DummySecurityProvider) annotated with @Alternative. This alternative is enabled by specifying this class in alternatives section of beans.xml included in aerogear-controller.jar.

My understanding is that as long as the DummySecurityProvider has an entry in the beans.xml of aerogear-controller this would be the SecurityProvider in use. To change to a different SecurityProvider users would have to open up aerogear-controller.jar, modify beans.xml, and the repackage their application.

This task should investigate and verify that the above is actually true and also see what alternative solutions exist. ]

One suggestion would be to use a Instance<SecurityProvider> and if that instance is not satisfied we would then provide a default implementation at runtime.