When running under a Security Manager, validation and generation of XML Signatures may need to resolve References with file or http URLs. Thus, the module should be granted the appropriate permissions to access those resources. These calls should not be made privileged however (i.e. wrapped in AccessController.doPrivileged). The calling code (or all Protection Domains in the thread) would also need to be granted the appropriate permissions.