Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly ---------------------------------------------------------------------------------------- Key: JBWS-3974 URL: https://issues.jboss.org/browse/JBWS-3974 Project: JBoss Web Services Issue Type: Bug Components: jbossws-integration Environment: EAP 7.0.0.Beta1, jbossws-spi 3.1.1 (Couldn't find in affected version list) Reporter: Jason Shepherd Assignee: Jim Ma Priority: Minor Fix For: jbossws-cxf-5.1.4.Final Calls to AccessControl.checkPermission() should be done by the Security Manager so that policies can be centrally managed. See this guide as a reference: bq. Note that the method AccessController.checkPermission is normally invoked indirectly through invocations of specific SecurityManager methods that begin with the word check such as checkConnect or through the method SecurityManager.checkPermission. Normally, these checks only occur if a SecurityManager has been installed; code checked by the AccessController.checkPermission method first checks if the method System.getSecurityManager returns null. [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivile...] Also refer to fixed issue WFCORE-1266, as it is similar.