The JAXWS SPI Provider uses ServiceLoader to look for user specified provider implementations. The search is performed using the current TCCL.
When iterating on the ServiceLoader results, read permission on the relevant jar is required. It looks correct to run in a privileged block there, also considering that the user would need a permission for setting/changing the TCCL.