In JSSE 1.0.2 (FCS), JSSE class files use the GetPropertyAction convenience class from sun.security.action to read system properties in a privileged operation.

With security enabled, this only works if the JSSE JAR files are installed in the JRE's extension directory and loaded by the extension classloader.

However, this will not work if an application uses the system
classloader for delegation by calling ClassLoader.findSystemClass,
which gets the system loader and calls its loadClass
method.

Before delegating, the loadClass method of the system classloader
calls the security manager's checkPackageAccess method, which checks
whether the class symbol to be resolved belongs to a restricted
package, by parsing the list of restricted packages in the runtime's
security configuration file. By default, this list contains the "sun"
package only.

If the package name in question (in this case: "sun.security.action")
starts with or is equal to any restricted package, a Java 2 permission
check is performed, checking for the RuntimePermission named

  "accessClassInPackage."+<pkgname>

(in this case: "accessClassInPackage.sun.security.action").

If any of the classes on the stack doesn't have this permission (which
will most likely be the case), a SecurityException is raised.

This is the problem we have been encountering as we are trying to load the JSSE JAR files from a service bundle in Java Embedded Server (JES).