"david.lloyd(a)jboss.com" wrote : And I still like my suggestion of putting stub URL handlers on the boot classpath and then replacing them with a URLStreamHandlerFactory once things get spun up. :-) Then you get a security manager from the start, and additionally you can use the real URLs in codeSource. Is the behavior consistent on Sun,BEA,IBM,Apple etc versions of JDK5,6? The issue is in the vfs classloaders. We have a VF whose real url is hidden inside the VF. If it is brought out and given to the CodeSource URL rather than the flexible vfs url, everyone is happy. Because we can specify the permissions on that VF in real url terms in the policy file and at runtime, the File.isFile() check will not puke with | protectiondomain that failed (vfszip://my.ear/something.war) | { //I have been assigned permissions from the orphan "grant" entry} | The above failure will happen because we cannot specify the vfs url in the security.policy file because the PolicyFile implementation will not read it. So it is the JDK policy file implementation that needs to be torched for being legacy and lazy to change. ;) DML, real url of a virtual file is (file://xyz) and the vfs url is (vfszip:// or vfsfile:). Not sure you got that. :) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188588#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...