i believe those issues are settled, although i hope i didn't introduce other ones in the process (again); security is real tricky. we probably need a bit of a code overhaul at some point in this area, and a clear set of security policies maybe in an xml doc (expanding on what we already have in our xml mbean config).
probably the best way to make sure things are ok is through a junit test, so i'm adding that to my list of things to do. if our security polices can be expressed in xml, we can also automatically test them based on that configuration too.