Basically all across our code base (mainly the org projects that come in as libraries) have total disregard for sensitive operations that need to be going in privileged blocks (after deciding whether these operations are part of what these libraries need and not something the caller of these libraries should have). Basically, we are doing set context class loader, setting system properties at will as examples. Examples: https://jira.jboss.org/jira/browse/JBMESSAGING-1446 and such as: http://anonsvn.jboss.org/repos/jbossas/trunk/tomcat/src/main/org/jboss/we... | System.setProperty("catalina.ext.dirs", (System.getProperty("jboss.server.home.dir") + File.separator + "lib")); | I have this jira issue for AS5: https://jira.jboss.org/jira/browse/JBAS-5988 I have updated the AS5 testsuite sec policy as much as possible (work in progress). http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... We need better control of permissions for things such as Common Criteria Evaluation. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4187842#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...