"scott.stark(a)jboss.org" wrote : Right, so what was the solution Adrian said was working with vfs urls? Enable security.xml in the bootstrap.xml, which will install the security manager after classloading.xml. I do not think this is right, one for the reason about delayed SM installation but also for the reason that the protection domains created during the classloading.xml phase with the vfs urls will work later. The simplest is to get the real urls of Virtual files. VirtualFile.getRealURL() which gets delegated to VFHandler->getRealURL. My hacky way of using the standard jar urls worked fine (64 out of 67 tests passing). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188578#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...