Currently, if an application declares its own literal which extends AnnotationLiteral and is run with SecurityManager enabled, some methods might lead to SecurityException (e.g. AnnotationLiteral.getMembers() called in constructor requires accessDeclaredMembers permission). The only possible fix seems to be to grant the permission to the deployment/application which is not very convenient. If privileged actions were used, the app server could grant the permissions to the provided CDI API module only.