And speaking of running under a security manager, the SetAccessible PrivilegedAction in ReflectMethodInfoImpl should not be used because the security check should not be based on the jboss-reflect codebase. It needs to be based on the codebase calling into the reflection layer, and in reality, the code that is actually doing the invocation. I can see a general jboss layer like the management layer needing to obtain the reflection view, but the determination as to whether setAccessible can be called should be done when the invocation is made to validate that the caller codebase wanting to access or set a property value is not bypassing the underlying bean class java language security declarations. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4210537#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...