With the security manager enabled, all the tests in org.jboss.test.cmp2.commerce where the EJB makes mbean invocations are failing due to a missing getClassLoader RuntimePermission when org.jboss.mx.server.InvocationContext.loadClass() tries to get the TCCL. These passed in M1 and earlier because InvocationContext would invoke getContextClassLoader() in a PrivilegedAction; the version of InvocationContext in trunk makes a direct invocation.

I need to investigate the history of the InvocationContext class to see why this change was made; possibly the intent was to require the caller to have the appropriate permission, in which case the security policy for the test needs updating.