A problem I have run into while looking at running jboss5 under a security manager is that the interceptor class is not being created with a useful ProtectionDomain/CodeSource. It should be using the CodeSource of the aspect object so that one can use the ProtectionDomain of the aspect as the basis for security policy configuration. For example, the call to the TransformerCommon should be passing in the ProtectionDomain obtained from the apect:
ProtectionDomain pd = aspect.getClass().getProtectionDomain();
iclass = TransformerCommon.toClass(clazz, cl, pd);
I'm going through the calls to TransformerCommon.toClass and updating these to pass in a ProtectionDomain to test out a fix.
I have committed a change to trunk to require a ProtectionDomain to be passed into the TransformerCommon.toClass calls and updated the callers. This gets past the problems of null CodeSources in the ProtectionDomain check. In general we should not be creating classes without a ProtectionDomain as it will not meaningful CodeSource location.