No, I disagree entirely. Actually it's fine if it's a VFS URL. We've already gotten past that problem - we can specify VFS URLs in the security policy file now without any problems. The problem now is that vfsmemory URLs are not predictable. And in fact -any- VFS URL type might not have a corresponding "real" URL; I don't think this is a reliable solution. I think the best solution is to have predictable/repeatable names for VFS URLs. I don't think using a UUID is really useful in practice anyway. Why not allow a name to be assigned to vfsmemory URLs? Then one could simply put the appropriate vfsmemory URL in the security policy file. If security is a concern, one could simply introduce a permission that is necessary in order to create a vfsmemory URL with a given name. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4190941#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...