I have been able to get AS5 started up with the url handler stubs. It worked exactly as DML claimed. Before we inject our version of URLStreamHandlerFactory in AbstractServerImpl, the url handler stubs help in the policy file implementation reading the vfs entries. As the VFSClassloaderPolicy starts creating CodeSource URLs with the vfs urls, the url stream handler factory would have already been injected thereby flushing the pre-registered vfs handler stubs and the intended vfs handlers are created. http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... is the updated server security manager policy. Web class loaders have a codesource url of "vfsfile" while others use "vfszip". We still have some protection domains with file: usage. At this time, we need no change from CL and VFS projects. The JDK implementation takes care of a defined vfs policy url such as: | grant codeBase "vfszip:${jboss.server.home.dir}/lib/-" { | permission java.security.AllPermission; | }; | and implies the following protection code url: codeBase "vfszip:${jboss.server.home.dir}/lib/some.jar" Thanks to DML. Hopefully I should enable the security manager tests tomorrow. Currently, I have 2 out of 67 tests failing (which is not sec mgr related). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188645#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...