Hi, Thanks for all the info in this thread and making the javassist CVS changes. This really helped me to get a Tapestry & Hivemind web app running in Tomcat with the security manager enabled. I have a question about the default ProtectionDomain when none is specified (currently null). In order to get my app to run I patched the latest Javassist from CVS so that in the ClassPool toClass(CtClass ct, ClassLoader loader) method it uses: return toClass(ct, loader, ct.getClass().getProtectionDomain()); .. rather than .. return toClass(ct, loader, null); This works as a better default ProtectionDomain for me, but I was not sure if it would be unsuitable for others. I am happy to use a patched version until such time as HiveMind passes a ProtectionDomain, but if this default were suitable enough to make it into a future version of Javassist then that would be even better :) Cheers Paul View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964215#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...