The reference guide should clearly specify the permissions to be assigned to the Hibernate Validator code base when running with a Java security manager. A sample policy file would be very helpful.