This is a race between Hibernate and the security manager being set. If you set the security manager in a production environment and rely on this, you are however not really secure if the manager is not set at application startup.

If you got a bad copy of Hibernate, for instance, someone could have changed the code to set the security manager prematurely and intercept all crucial code paths. This is why I would guess this is only an issue in unit tests, yes.