ManifestUberJarDuplicatedJarsWarner has a method called isClasspathCorrectAsync which dispatches a task to the fork-join pool. The task loads resources from the Infinispan JAR.

This fails under a security manager. The common FJP executes tasks with no permissions. One of two things must be done:

1. Do not use the fork-join pool; find some other async solution which preserves the access control context.
2. Capture and propagate the current AccessControlContext when calling isClasspathCorrectAsync. This can be done by calling AccessController.getContext() before submitting the task, and then, within the submitted lambda, wrap the call to isClasspathCorrect with a call to AccessController.doPrivileged() which restores the captured context (by giving it as the second parameter). Note that this will entail a nested lambda or anonymous class.