diff --git a/security/subsystem/src/main/java/org/jboss/as/security/AuditResourceDefinition.java b/security/subsystem/src/main/java/org/jboss/as/security/AuditResourceDefinition.java
index 2587eaf286a4..336b995c1985 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/AuditResourceDefinition.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/AuditResourceDefinition.java
@@ -27,7 +27,6 @@
 import org.jboss.as.controller.OperationStepHandler;
 import org.jboss.as.controller.SimpleResourceDefinition;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
-import org.jboss.as.controller.transform.description.ResourceTransformationDescriptionBuilder;
 import org.jboss.dmr.ModelNode;
 
 /**
@@ -74,9 +73,4 @@ protected void updateModel(OperationContext context, ModelNode operation) throws
                }
     }
 
-    static void registerTransformers_1_3_0(ResourceTransformationDescriptionBuilder parentBuilder) {
-        ResourceTransformationDescriptionBuilder builder = parentBuilder.addChildResource(SecurityExtension.PATH_AUDIT_CLASSIC);
-        MappingProviderModuleDefinition.registerTransformers_1_3_0(builder);
-    }
-
 }
diff --git a/security/subsystem/src/main/java/org/jboss/as/security/MappingProviderModuleDefinition.java b/security/subsystem/src/main/java/org/jboss/as/security/MappingProviderModuleDefinition.java
index 7a8ea0611287..a3fce08100fe 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/MappingProviderModuleDefinition.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/MappingProviderModuleDefinition.java
@@ -26,10 +26,6 @@
 
 import org.jboss.as.controller.AttributeDefinition;
 import org.jboss.as.controller.PathElement;
-import org.jboss.as.controller.transform.description.DiscardAttributeChecker;
-import org.jboss.as.controller.transform.description.RejectAttributeChecker;
-import org.jboss.as.controller.transform.description.ResourceTransformationDescriptionBuilder;
-import org.jboss.dmr.ModelNode;
 
 /**
  * This class should better be called {@code AuditProviderModuleDefinition} rather than {@code MappingProviderModuleDefinition},
@@ -51,12 +47,5 @@ public AttributeDefinition[] getAttributes() {
         return ATTRIBUTES;
     }
 
-    static void registerTransformers_1_3_0(ResourceTransformationDescriptionBuilder parentBuilder) {
-        ResourceTransformationDescriptionBuilder builder = parentBuilder.addChildResource(PATH_PROVIDER_MODULE);
-        builder.getAttributeBuilder()
-                .setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(false, true,
-                        new ModelNode(ModuleName.PICKETBOX.getName())), MODULE)
-                .addRejectCheck(RejectAttributeChecker.DEFINED, MODULE).end();
-    }
 
 }
diff --git a/security/subsystem/src/main/java/org/jboss/as/security/SecurityDomainResourceDefinition.java b/security/subsystem/src/main/java/org/jboss/as/security/SecurityDomainResourceDefinition.java
index 89c771ea4ffa..0008e7c472a5 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/SecurityDomainResourceDefinition.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/SecurityDomainResourceDefinition.java
@@ -48,7 +48,6 @@
 import org.jboss.as.controller.operations.validation.StringAllowedValuesValidator;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
 import org.jboss.as.controller.registry.OperationEntry;
-import org.jboss.as.controller.transform.description.ResourceTransformationDescriptionBuilder;
 import org.jboss.as.security.logging.SecurityLogger;
 import org.jboss.as.security.plugins.SecurityDomainContext;
 import org.jboss.as.security.service.SecurityDomainService;
@@ -230,9 +229,4 @@ private static void waitForService(final ServiceController<?> controller) throws
         }
     }
 
-    static void registerTransformers_1_3_0(ResourceTransformationDescriptionBuilder parentBuilder) {
-        ResourceTransformationDescriptionBuilder builder = parentBuilder.addChildResource(SecurityExtension.SECURITY_DOMAIN_PATH);
-        AuditResourceDefinition.registerTransformers_1_3_0(builder);
-    }
-
 }
diff --git a/security/subsystem/src/main/java/org/jboss/as/security/SecurityTransformers.java b/security/subsystem/src/main/java/org/jboss/as/security/SecurityTransformers.java
index ff03e52570b5..c38a53e0bb38 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/SecurityTransformers.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/SecurityTransformers.java
@@ -22,6 +22,10 @@
 
 package org.jboss.as.security;
 
+import static org.jboss.as.security.Constants.MODULE;
+import static org.jboss.as.security.MappingProviderModuleDefinition.PATH_PROVIDER_MODULE;
+import static org.jboss.as.security.SecuritySubsystemRootResourceDefinition.INITIALIZE_JACC;
+
 import org.jboss.as.controller.ModelVersion;
 import org.jboss.as.controller.PathElement;
 import org.jboss.as.controller.transform.ExtensionTransformerRegistration;
@@ -30,6 +34,7 @@
 import org.jboss.as.controller.transform.description.RejectAttributeChecker;
 import org.jboss.as.controller.transform.description.ResourceTransformationDescriptionBuilder;
 import org.jboss.as.controller.transform.description.TransformationDescription;
+import org.jboss.dmr.ModelNode;
 
 /**
  * @author Tomaz Cerar (c) 2017 Red Hat Inc.
@@ -42,7 +47,7 @@ public String getSubsystemName() {
 
     @Override
     public void registerTransformers(SubsystemTransformerRegistration subsystemRegistration) {
-// only register transformers for model version 1.3.0 (EAP 6.2+).
+        // only register transformers for model version 1.3.0 (EAP 6.2+).
         registerTransformers_1_3_0(subsystemRegistration);
     }
 
@@ -53,12 +58,18 @@ private void registerTransformers_1_3_0(SubsystemTransformerRegistration subsyst
         builder.rejectChildResource(PathElement.pathElement(Constants.ELYTRON_TRUST_STORE));
         builder.rejectChildResource(PathElement.pathElement(Constants.ELYTRON_KEY_MANAGER));
         builder.rejectChildResource(PathElement.pathElement(Constants.ELYTRON_TRUST_MANAGER));
-        builder.addChildResource(PathElement.pathElement(Constants.SECURITY_MANAGEMENT))
-                .getAttributeBuilder()
-                .addRejectCheck(RejectAttributeChecker.DEFINED, SecuritySubsystemRootResourceDefinition.INITIALIZE_JACC)
-                .setDiscard(DiscardAttributeChecker.UNDEFINED, SecuritySubsystemRootResourceDefinition.INITIALIZE_JACC);
+        builder.getAttributeBuilder()
+                .setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(INITIALIZE_JACC.getDefaultValue()), INITIALIZE_JACC)
+                .addRejectCheck(RejectAttributeChecker.DEFINED, INITIALIZE_JACC);
 
-        SecurityDomainResourceDefinition.registerTransformers_1_3_0(builder);
+
+        builder
+                .addChildResource(SecurityExtension.SECURITY_DOMAIN_PATH)
+                .addChildResource(SecurityExtension.PATH_AUDIT_CLASSIC)
+                .addChildResource(PATH_PROVIDER_MODULE)
+                .getAttributeBuilder()
+                    .setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(new ModelNode(ModuleName.PICKETBOX.getName())), MODULE)
+                    .addRejectCheck(RejectAttributeChecker.DEFINED, MODULE).end();
 
         TransformationDescription.Tools.register(builder.build(), subsystemRegistration, ModelVersion.create(1, 3, 0));
     }
diff --git a/security/subsystem/src/test/java/org/jboss/as/security/SecurityDomainModelv20UnitTestCase.java b/security/subsystem/src/test/java/org/jboss/as/security/SecurityDomainModelv20UnitTestCase.java
index 154e1c2b17f4..b3832e192949 100644
--- a/security/subsystem/src/test/java/org/jboss/as/security/SecurityDomainModelv20UnitTestCase.java
+++ b/security/subsystem/src/test/java/org/jboss/as/security/SecurityDomainModelv20UnitTestCase.java
@@ -15,24 +15,12 @@
  */
 package org.jboss.as.security;
 
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUBSYSTEM;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-
 import java.io.File;
 import java.io.IOException;
 import java.util.Properties;
 
-import org.jboss.as.controller.ModelVersion;
-import org.jboss.as.controller.PathAddress;
-import org.jboss.as.controller.PathElement;
-import org.jboss.as.model.test.FailedOperationTransformationConfig;
-import org.jboss.as.model.test.ModelTestControllerVersion;
-import org.jboss.as.model.test.ModelTestUtils;
 import org.jboss.as.subsystem.test.AbstractSubsystemBaseTest;
 import org.jboss.as.subsystem.test.AdditionalInitialization;
-import org.jboss.as.subsystem.test.KernelServices;
-import org.jboss.as.subsystem.test.KernelServicesBuilder;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -107,63 +95,4 @@ public void testSchemaOfSubsystemTemplates() throws Exception {
     protected AdditionalInitialization createAdditionalInitialization() {
         return AdditionalInitialization.withCapabilities("org.wildfly.clustering.infinispan.default-cache-configuration.security");
     }
-
-    @Test
-    public void testTransformersEAP64() throws Exception {
-        testTransformers(ModelTestControllerVersion.EAP_6_4_0);
-    }
-
-    @Test
-    public void testTransformersEAP70() throws Exception {
-        testTransformers(ModelTestControllerVersion.EAP_7_0_0);
-    }
-
-    private void testTransformers(ModelTestControllerVersion controllerVersion) throws Exception {
-
-        KernelServicesBuilder builder = createKernelServicesBuilder(createAdditionalInitialization());
-        ModelVersion version = ModelVersion.create(1, 3, 0);
-
-        final String mavenGavVersion = controllerVersion.getMavenGavVersion();
-        final String artifactId;
-        if (controllerVersion.isEap() && mavenGavVersion.equals(controllerVersion.getCoreVersion())) {
-            /* EAP 6 */
-            artifactId = "jboss-as-security";
-        } else {
-            artifactId = "wildfly-security";
-        }
-
-        builder.createLegacyKernelServicesBuilder(AdditionalInitialization.MANAGEMENT, controllerVersion, version)
-                .addMavenResourceURL(controllerVersion.getMavenGroupId() + ":"+ artifactId +":" + mavenGavVersion);
-
-        KernelServices mainServices = builder.build();
-        assertTrue(mainServices.isSuccessfulBoot());
-        KernelServices legacyServices = mainServices.getLegacyServices(version);
-        assertNotNull(legacyServices);
-        assertTrue(legacyServices.isSuccessfulBoot());
-
-        // any elytron-related resources in the model should get rejected as those are not supported in model version 1.3.0.
-        PathAddress subsystemAddress = PathAddress.pathAddress(PathElement.pathElement(SUBSYSTEM, getMainSubsystemName()));
-        ModelTestUtils.checkFailedTransformedBootOperations(mainServices, version,
-                builder.parseXmlResource("securitysubsystemv20.xml"),
-                new FailedOperationTransformationConfig()
-                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_REALM)),
-                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
-                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_KEY_STORE)),
-                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
-                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_TRUST_STORE)),
-                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
-                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_KEY_MANAGER)),
-                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
-                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_TRUST_MANAGER)),
-                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
-                        .addFailedAttribute(
-                                PathAddress.pathAddress(subsystemAddress,
-                                        PathElement.pathElement(Constants.SECURITY_DOMAIN, "domain-with-custom-audit-provider"),
-                                        SecurityExtension.PATH_AUDIT_CLASSIC,
-                                        PathElement.pathElement(Constants.PROVIDER_MODULE,
-                                                "org.myorg.security.MyCustomLogAuditProvider")),
-                                new FailedOperationTransformationConfig.NewAttributesConfig(Constants.MODULE))
-                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.SECURITY_MANAGEMENT)),
-                                new FailedOperationTransformationConfig.NewAttributesConfig(Constants.INITIALIZE_JACC)));
-    }
 }
diff --git a/security/subsystem/src/test/java/org/jboss/as/security/SecurityTransformersTestCase.java b/security/subsystem/src/test/java/org/jboss/as/security/SecurityTransformersTestCase.java
new file mode 100644
index 000000000000..59dced95d5ce
--- /dev/null
+++ b/security/subsystem/src/test/java/org/jboss/as/security/SecurityTransformersTestCase.java
@@ -0,0 +1,155 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2017, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.security;
+
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUBSYSTEM;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+
+import org.jboss.as.controller.ModelVersion;
+import org.jboss.as.controller.PathAddress;
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.model.test.FailedOperationTransformationConfig;
+import org.jboss.as.model.test.ModelTestControllerVersion;
+import org.jboss.as.model.test.ModelTestUtils;
+import org.jboss.as.subsystem.test.AbstractSubsystemBaseTest;
+import org.jboss.as.subsystem.test.AdditionalInitialization;
+import org.jboss.as.subsystem.test.KernelServices;
+import org.jboss.as.subsystem.test.KernelServicesBuilder;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * @author Tomaz Cerar (c) 2017 Red Hat Inc.
+ */
+public class SecurityTransformersTestCase extends AbstractSubsystemBaseTest {
+
+    public SecurityTransformersTestCase() {
+        super(SecurityExtension.SUBSYSTEM_NAME, new SecurityExtension());
+    }
+
+    @Override
+    protected String getSubsystemXml() throws IOException {
+        return readResource("securitysubsystemv20.xml");
+    }
+
+
+    @Override
+    protected AdditionalInitialization createAdditionalInitialization() {
+        return AdditionalInitialization.withCapabilities("org.wildfly.clustering.infinispan.default-cache-configuration.security");
+    }
+
+    @Test
+    public void testTransformersEAP64() throws Exception {
+        testTransformers(ModelTestControllerVersion.EAP_6_4_0);
+    }
+
+    @Test
+    public void testTransformersEAP70() throws Exception {
+        testTransformers(ModelTestControllerVersion.EAP_7_0_0);
+    }
+
+    private void testTransformers(ModelTestControllerVersion controllerVersion) throws Exception {
+        ModelVersion version = ModelVersion.create(1, 3, 0);
+
+        final String mavenGavVersion = controllerVersion.getMavenGavVersion();
+        final String artifactId;
+        if (controllerVersion.isEap() && mavenGavVersion.equals(controllerVersion.getCoreVersion())) {
+               /* EAP 6 */
+            artifactId = "jboss-as-security";
+        } else {
+            artifactId = "wildfly-security";
+        }
+
+        String mavenGav = String.format("%s:%s:%s", controllerVersion.getMavenGroupId(), artifactId, controllerVersion.getMavenGavVersion());
+
+        testTransformers(controllerVersion, version, mavenGav);
+        testReject(controllerVersion, version, mavenGav);
+    }
+
+    private void testReject(ModelTestControllerVersion controllerVersion, ModelVersion targetVersion, String mavenGAV) throws Exception {
+        KernelServicesBuilder builder = createKernelServicesBuilder(createAdditionalInitialization());
+        builder.createLegacyKernelServicesBuilder(null, controllerVersion, targetVersion)
+                .configureReverseControllerCheck(createAdditionalInitialization(), null)
+                //.skipReverseControllerCheck()
+                .addMavenResourceURL(mavenGAV)
+                .dontPersistXml();
+
+        KernelServices mainServices = builder.build();
+        Assert.assertTrue(mainServices.isSuccessfulBoot());
+        KernelServices legacyServices = mainServices.getLegacyServices(targetVersion);
+        Assert.assertTrue(legacyServices.isSuccessfulBoot());
+        Assert.assertNotNull(legacyServices);
+
+        // any elytron-related resources in the model should get rejected as those are not supported in model version 1.3.0.
+        PathAddress subsystemAddress = PathAddress.pathAddress(PathElement.pathElement(SUBSYSTEM, getMainSubsystemName()));
+        ModelTestUtils.checkFailedTransformedBootOperations(mainServices, targetVersion,
+                builder.parseXmlResource("security-transformers-reject_2.0.xml"),
+                new FailedOperationTransformationConfig()
+                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_REALM)),
+                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
+                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_KEY_STORE)),
+                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
+                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_TRUST_STORE)),
+                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
+                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_KEY_MANAGER)),
+                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
+                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress, PathElement.pathElement(Constants.ELYTRON_TRUST_MANAGER)),
+                                FailedOperationTransformationConfig.REJECTED_RESOURCE)
+                        .addFailedAttribute(
+                                PathAddress.pathAddress(subsystemAddress,
+                                        PathElement.pathElement(Constants.SECURITY_DOMAIN, "domain-with-custom-audit-provider"),
+                                        SecurityExtension.PATH_AUDIT_CLASSIC,
+                                        PathElement.pathElement(Constants.PROVIDER_MODULE,
+                                                "org.myorg.security.MyCustomLogAuditProvider")),
+                                new FailedOperationTransformationConfig.NewAttributesConfig(Constants.MODULE))
+                        .addFailedAttribute(PathAddress.pathAddress(subsystemAddress),
+                                new FailedOperationTransformationConfig.NewAttributesConfig(Constants.INITIALIZE_JACC)));
+        legacyServices.shutdown();
+        mainServices.shutdown();
+    }
+
+
+    private void testTransformers(ModelTestControllerVersion controllerVersion, ModelVersion targetVersion, String mavenGAV) throws Exception {
+        //Boot up empty controllers with the resources needed for the ops coming from the xml to work
+        KernelServicesBuilder builder = createKernelServicesBuilder(createAdditionalInitialization())
+                .setSubsystemXmlResource("security-transformers_2.0.xml");
+        builder.createLegacyKernelServicesBuilder(null, controllerVersion, targetVersion)
+                .addMavenResourceURL(mavenGAV)
+                .configureReverseControllerCheck(createAdditionalInitialization(), null)
+                .dontPersistXml();
+
+        KernelServices mainServices = builder.build();
+        assertTrue(mainServices.isSuccessfulBoot());
+        assertTrue(mainServices.getLegacyServices(targetVersion).isSuccessfulBoot());
+
+        checkSubsystemModelTransformation(mainServices, targetVersion, null);
+        mainServices.shutdown();
+    }
+
+
+    @Override
+    public void testSchema() throws Exception {
+    }
+}
diff --git a/security/subsystem/src/test/resources/org/jboss/as/security/security-transformers-reject_2.0.xml b/security/subsystem/src/test/resources/org/jboss/as/security/security-transformers-reject_2.0.xml
new file mode 100644
index 000000000000..787437d527e6
--- /dev/null
+++ b/security/subsystem/src/test/resources/org/jboss/as/security/security-transformers-reject_2.0.xml
@@ -0,0 +1,163 @@
+<!--
+  ~
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2015, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  ~
+  -->
+
+<subsystem xmlns="urn:jboss:domain:security:2.0">
+    <security-management initialize-jacc="false"/>
+    <security-domains>
+        <security-domain name="other" cache-type="default">
+            <authentication>
+                <login-module code="Remoting" flag="${test.prop:optional}" module="test-authentication">
+                    <module-option name="password-stacking" value="${test.prop:useFirstPass}"/>
+                </login-module>
+                <login-module code="Duplicate" flag="optional" />
+                <login-module name="duplicate-module" code="Duplicate" flag="optional" />
+                <login-module code="Anon" flag="optional"/>
+                <login-module code="RealmUsersRoles" flag="required">
+                    <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
+                    <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
+                    <module-option name="realm" value="ApplicationRealm"/>
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+            </authentication>
+            <authorization>
+                <policy-module code="DenyAll" flag="${test.prop:required}" module="test-auth">
+                    <module-option name="a" value="${test.prop:c}"/>
+                </policy-module>
+            </authorization>
+            <acl>
+                <acl-module name="acl" code="AclThingy" flag="${test.prop:required}" module="test">
+                    <module-option name="d" value="${test.prop:r}"/>
+                </acl-module>
+            </acl>
+            <mapping>
+                <mapping-module name="test" code="SimpleRoles" type="${test.prop:role}" module="test-mapping">
+                    <module-option name="d" value="${test.prop:e}"/>
+                </mapping-module>
+            </mapping>
+            <audit>
+                <provider-module code="customModule">
+                    <module-option name="d" value="${test.prop:r}"/>
+                </provider-module>
+            </audit>
+            <identity-trust>
+                <trust-module code="IdentityThingy" flag="${test.prop:required}" module="test-identity">
+                    <module-option name="d" value="${test.prop:r}"/>
+                </trust-module>
+            </identity-trust>
+            <jsse truststore-url="${test.prop:keystore.jks}"
+                  truststore-password="${test.prop:rmi+ssl}"
+                  truststore-type="${test.prop:jks}"
+                  truststore-provider="${test.prop:truststore.jks}"
+                  truststore-provider-argument="${test.prop:trust-arg}"
+                  trust-manager-factory-algorithm="${test.prop:JKS}"
+                  trust-manager-factory-provider="${test.prop:JKS-provider}"
+                  keystore-url="${test.prop:clientcert.jks}"
+                  keystore-password="${test.prop:changeit}"
+                  keystore-type="${test.prop:jks2}"
+                  keystore-provider="${test.prop:keystore.jks}"
+                  keystore-provider-argument="${test.prop:key-arg}"
+                  key-manager-factory-algorithm="${test.prop:JKS}"
+                  key-manager-factory-provider="${test.prop:JKS-provider}"
+                  client-alias="${test.prop:client-alias}"
+                  server-alias="${test.prop:server-alias}"
+                  service-auth-token="${test.prop:server-auth-token}"
+                  client-auth="${test.prop:true}"
+                  cipher-suites="${test.prop:aaa,bbb,ccc}"
+                  protocols="${test.prop:one,two,three}">
+                <property name="name" value="${some.prop:default}"/>
+            </jsse>
+        </security-domain>
+        <security-domain name="jaspi-test" cache-type="default">
+            <authentication-jaspi>
+                <login-module-stack name="lm-stack">
+                    <login-module name="lm" code="UsersRoles" flag="required" module="test-jaspi">
+                        <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
+                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
+                    </login-module>
+                </login-module-stack>
+                <auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPBasicServerAuthModule" login-module-stack-ref="lm-stack"
+                             flag="${test.prop:optional}" module="test-jaspi">
+                    <module-option name="x" value="${test.prop:y}"/>
+                    <module-option name="p" value="${test.prop:r}"/>
+                </auth-module>
+            </authentication-jaspi>
+        </security-domain>
+        <security-domain name="ordering" cache-type="default">
+            <authentication>
+                <login-module code="Remoting" flag="optional">
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+            </authentication>
+        </security-domain>
+        <security-domain name="other2" cache-type="default">
+            <authentication>
+                <login-module code="Remoting" flag="optional">
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+                <login-module code="RealmDirect" flag="required">
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+            </authentication>
+        </security-domain>
+        <security-domain name="jboss-web-policy" cache-type="default">
+            <authorization>
+                <policy-module code="Delegating" flag="required"/>
+            </authorization>
+        </security-domain>
+        <security-domain name="jboss-ejb-policy" cache-type="default">
+            <authorization>
+                <policy-module code="Delegating" flag="required"/>
+            </authorization>
+        </security-domain>
+        <security-domain name="jboss-empty-jsse" >
+            <jsse server-alias="silent.planet" />
+        </security-domain>
+        <security-domain name="domain-with-custom-audit-provider" >
+            <audit>
+                <provider-module code="org.myorg.security.MyCustomLogAuditProvider" module="org.myorg.security" />
+            </audit>
+        </security-domain>
+        <security-domain name="infinispan-cache" cache-type="infinispan">
+            <authorization>
+                <policy-module code="Delegating" flag="required"/>
+            </authorization>
+        </security-domain>
+    </security-domains>
+    <vault code="somevault">
+        <vault-option name="xyz" value="zxc"/>
+        <vault-option name="abc" value="def"/>
+    </vault>
+    <elytron-integration>
+        <security-realms>
+            <elytron-realm name="LegacyRealm1" legacy-jaas-config="other"/>
+            <elytron-realm name="LegacyRealm2" legacy-jaas-config="other2" apply-role-mappers="false"/>
+        </security-realms>
+        <tls>
+            <elytron-key-store name="LegacyKeyStore" legacy-jsse-config="other"/>
+            <elytron-trust-store name="LegacyTrustStore" legacy-jsse-config="other"/>
+            <elytron-key-manager name="LegacyKeyManager" legacy-jsse-config="other"/>
+            <elytron-trust-manager name="LegacyTrustManager" legacy-jsse-config="other"/>
+        </tls>
+    </elytron-integration>
+</subsystem>
diff --git a/security/subsystem/src/test/resources/org/jboss/as/security/security-transformers_2.0.xml b/security/subsystem/src/test/resources/org/jboss/as/security/security-transformers_2.0.xml
new file mode 100644
index 000000000000..0e7b1b85d3d7
--- /dev/null
+++ b/security/subsystem/src/test/resources/org/jboss/as/security/security-transformers_2.0.xml
@@ -0,0 +1,149 @@
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2017, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  -->
+
+<subsystem xmlns="urn:jboss:domain:security:2.0">
+    <security-management />
+    <security-domains>
+        <security-domain name="other" cache-type="default">
+            <authentication>
+                <login-module code="Remoting" flag="${test.prop:optional}" module="test-authentication">
+                    <module-option name="password-stacking" value="${test.prop:useFirstPass}"/>
+                </login-module>
+                <login-module code="Duplicate" flag="optional" />
+                <login-module name="duplicate-module" code="Duplicate" flag="optional" />
+                <login-module code="Anon" flag="optional"/>
+                <login-module code="RealmUsersRoles" flag="required">
+                    <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
+                    <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
+                    <module-option name="realm" value="ApplicationRealm"/>
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+            </authentication>
+            <authorization>
+                <policy-module code="DenyAll" flag="${test.prop:required}" module="test-auth">
+                    <module-option name="a" value="${test.prop:c}"/>
+                </policy-module>
+            </authorization>
+            <acl>
+                <acl-module name="acl" code="AclThingy" flag="${test.prop:required}" module="test">
+                    <module-option name="d" value="${test.prop:r}"/>
+                </acl-module>
+            </acl>
+            <mapping>
+                <mapping-module name="test" code="SimpleRoles" type="${test.prop:role}" module="test-mapping">
+                    <module-option name="d" value="${test.prop:e}"/>
+                </mapping-module>
+            </mapping>
+            <audit>
+                <provider-module code="customModule">
+                    <module-option name="d" value="${test.prop:r}"/>
+                </provider-module>
+            </audit>
+            <identity-trust>
+                <trust-module code="IdentityThingy" flag="${test.prop:required}" module="test-identity">
+                    <module-option name="d" value="${test.prop:r}"/>
+                </trust-module>
+            </identity-trust>
+            <jsse truststore-url="${test.prop:keystore.jks}"
+                  truststore-password="${test.prop:rmi+ssl}"
+                  truststore-type="${test.prop:jks}"
+                  truststore-provider="${test.prop:truststore.jks}"
+                  truststore-provider-argument="${test.prop:trust-arg}"
+                  trust-manager-factory-algorithm="${test.prop:JKS}"
+                  trust-manager-factory-provider="${test.prop:JKS-provider}"
+                  keystore-url="${test.prop:clientcert.jks}"
+                  keystore-password="${test.prop:changeit}"
+                  keystore-type="${test.prop:jks2}"
+                  keystore-provider="${test.prop:keystore.jks}"
+                  keystore-provider-argument="${test.prop:key-arg}"
+                  key-manager-factory-algorithm="${test.prop:JKS}"
+                  key-manager-factory-provider="${test.prop:JKS-provider}"
+                  client-alias="${test.prop:client-alias}"
+                  server-alias="${test.prop:server-alias}"
+                  service-auth-token="${test.prop:server-auth-token}"
+                  client-auth="${test.prop:true}"
+                  cipher-suites="${test.prop:aaa,bbb,ccc}"
+                  protocols="${test.prop:one,two,three}">
+                <property name="name" value="${some.prop:default}"/>
+            </jsse>
+        </security-domain>
+        <security-domain name="jaspi-test" cache-type="default">
+            <authentication-jaspi>
+                <login-module-stack name="lm-stack">
+                    <login-module name="lm" code="UsersRoles" flag="required" module="test-jaspi">
+                        <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
+                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
+                    </login-module>
+                </login-module-stack>
+                <auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPBasicServerAuthModule" login-module-stack-ref="lm-stack"
+                             flag="${test.prop:optional}" module="test-jaspi">
+                    <module-option name="x" value="${test.prop:y}"/>
+                    <module-option name="p" value="${test.prop:r}"/>
+                </auth-module>
+            </authentication-jaspi>
+        </security-domain>
+        <security-domain name="ordering" cache-type="default">
+            <authentication>
+                <login-module code="Remoting" flag="optional">
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+            </authentication>
+        </security-domain>
+        <security-domain name="other2" cache-type="default">
+            <authentication>
+                <login-module code="Remoting" flag="optional">
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+                <login-module code="RealmDirect" flag="required">
+                    <module-option name="password-stacking" value="useFirstPass"/>
+                </login-module>
+            </authentication>
+        </security-domain>
+        <security-domain name="jboss-web-policy" cache-type="default">
+            <authorization>
+                <policy-module code="Delegating" flag="required"/>
+            </authorization>
+        </security-domain>
+        <security-domain name="jboss-ejb-policy" cache-type="default">
+            <authorization>
+                <policy-module code="Delegating" flag="required"/>
+            </authorization>
+        </security-domain>
+        <security-domain name="jboss-empty-jsse" >
+            <jsse server-alias="silent.planet" />
+        </security-domain>
+        <security-domain name="domain-with-custom-audit-provider" >
+            <audit>
+                <provider-module code="org.myorg.security.MyCustomLogAuditProvider" />
+            </audit>
+        </security-domain>
+        <security-domain name="infinispan-cache" cache-type="infinispan">
+            <authorization>
+                <policy-module code="Delegating" flag="required"/>
+            </authorization>
+        </security-domain>
+    </security-domains>
+    <vault code="somevault">
+        <vault-option name="xyz" value="zxc"/>
+        <vault-option name="abc" value="def"/>
+    </vault>
+</subsystem>