Also I don't see a test in the kernel project that is validating
that you can't use the xml deployment (or programmatic deployment)
to bypass the private field access.

e.g. See the AccessControlTestCase that validates
that somebody can't use the MC to get access the system properties if they
don't have the right to do so.

Looking at that test, plus trying the 'suck it and see' principle with setting up the FieldAccess test, I fail to get it to fail on access restriction.

My bean looks like this:

public class AccessBean
{
 @SuppressWarnings("unused")
 private String priString;
 protected String protString;
 public String pubString;
}

and the test class extends AbstractDeploymentTest which enables security.

 public static AbstractTestDelegate getDelegate(Class<?> clazz) throws Exception
 {
 AbstractTestDelegate delegate = MicrocontainerTest.getDelegate(clazz);
 delegate.enableSecurity = true;
 return delegate;
 }

While trying this:

 <bean name="private" class="org.jboss.test.kernel.deployment.support.AccessBean" access-mode="ALL">
 <property name="priString">foobar</property>
 </bean>

 <bean name="protected" class="org.jboss.test.kernel.deployment.support.AccessBean" access-mode="ALL">
 <property name="protString">foobar</property>
 </bean>

both beans get normally installed.

What am I missing?
Since 'enableSecurity=true' does the trick on PropertyField2DependencyTestCase (where I had to disable it in order to test what I wanted to test).