If a user wants to add a static module (e.g. a different version of Hibernate), do the jars have to be signed when the security manager is enabled? I assume yes but perhaps there will be some magic that I don't know about for this case. :)