We need to redesign the remote classloading service such that there is more control at the deployment layer on what is exposed.

I will create a forum thread where this can be discussed in more detail.

Requirement 1:
Provide sensible defaults, which probably means no remote classloading by default

Requirement 2:
Individual deployments can choose whether remote classloading is enabled and what is available remotely

Requirement 3:
Allow "aspects" of the deployment to enhance what can be downloaded remotely, e.g. RMI/IIOP generated proxies or AOP remoting proxies

Requirement 4:
Use the spec defined RMIClassloaderSPI (exposed via an MBean) to make this configurable

Requirement 5:
Alternate implementations, e.g. exposure of remote classloading via a servlet in Tomcat or a custom resource url that triggers the use of invokers to do remote classloading.