Here is how I see things: a) We need to be able to start the security manager along with the Java process. For this to happen, we should be able to allow the JDK policy implementation to read the security policy file for the permissions assigned to the various codesource URLs. b) We can NOT inject our own policy implementation which will basically get away from the years of testing the JDK implementation has gone through. We are not just talking about the Sun JDK implementation here. There are other jvm implementations that have differing implementations but they all concur on reading the default policy file format. c) Every permission is configurable for a piece of jar that is loaded from a particular location, be it file: or be it vfsurl: So your question of assigning NetPermission etc should be taken care of. In a nutshell, your VFSClassloaderPolicy generating a protection domain can stay the same. But we really need to have a map of vfs urls to a standard URL instances for the CodeSource. So should we provide a map of vfsurls to regular URLs to the codesource generators? something like: | <bean name="IamACodeSourceGenerator"> | <map key="vfsurl:/somejar" value="file:/somejar" /> | <map key="vfsurl:/xyz.jar" value="http:/xyz.jar" /> | </bean> | Adrian, I know you disagree. But I do not see creating a vfs policy implementation before AS5GA. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188182#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...