"alesj" wrote : | Is this enough: | The question is will the callers have that privilege. e.g. Where this occurs is when somebody is deploying a bean from xml That will run under the privileges of whoever registered the MC context. We should be testing whether they can get access to the classloader of the other context to create the objects, otherwise it is a security hole. We don't want somebody using the MC to create objects they wouldn't otherwise have access to. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4087287#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...