HttpRootContext's static initializer does service loading outside a privileged block. This will fail in a security manager environment where the caller does not have permissions configured to read the jar the provides the service impl. See WFLY-11363 for an example.