We should start from the server.policy and client.policy that comes in the AS testsuite (see testsuite/src/resources/securitymgr). Those policies most probably require additions for some trusted libraries used by jbossws-native and apache cxf. The goal is being able to run the whole testsuite under a security manager.