"adrian(a)jboss.org" wrote : | I also don't see the need for the permission to set the codesource generator. | If somebody can get access to the policy then can make all sorts of other | changes anyway. Getting access to the classloader | implementation objects is already controlled by | | | sm.checkCreateClassLoader(); | | | checks. An uninitiated system administrator configuring the security manager policy can wrongly configure any user applications to have "all" permissions, which means any controls we have placed for security are negated (including checkCreateCL). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188145#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...