diff -r 7386eca865e1 -r 8f2986ff0235 src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java
--- a/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java	Thu May 30 10:58:13 2013 -0700
+++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java	Wed Jun 12 14:47:09 2013 +0100
@@ -42,10 +42,13 @@
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.ws.WebServiceException;
 import java.lang.reflect.Method;
+import java.lang.reflect.ReflectPermission;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.*;
+import java.util.PropertyPermission;
 import java.util.logging.Level;
 
 /**
@@ -235,7 +238,7 @@
     private static MetroConfig loadMetroConfig(@NotNull URL resourceUrl) {
         MetroConfig result = null;
         try {
-            JAXBContext jaxbContext = JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
+            JAXBContext jaxbContext = createJAXBContext();
             Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
             XMLInputFactory factory = XmlUtil.newXMLInputFactory(true);
             final JAXBElement<MetroConfig> configElement = unmarshaller.unmarshal(factory.createXMLStreamReader(resourceUrl.openStream()), MetroConfig.class);
@@ -246,6 +249,38 @@
         return result;
     }
 
+    private static JAXBContext createJAXBContext() throws Exception {
+        if (isJDKInternal()) {
+            // since jdk classes are repackaged, extra privilege is necessary to create JAXBContext
+            return AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<JAXBContext>() {
+                        @Override
+                        public JAXBContext run() throws Exception {
+                            return JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
+                        }
+                    }, createSecurityContext()
+            );
+        } else {
+            // usage from JAX-WS/Metro/Glassfish
+            return JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
+        }
+    }
+
+    private static AccessControlContext createSecurityContext() {
+        PermissionCollection perms = new Permissions();
+        perms.add(new RuntimePermission("accessClassInPackage.com" + ".sun.xml.internal.ws.runtime.config")); // avoid repackaging
+        perms.add(new ReflectPermission("suppressAccessChecks"));
+        return new AccessControlContext(
+                new ProtectionDomain[]{
+                        new ProtectionDomain(null, perms),
+                });
+    }
+
+    private static boolean isJDKInternal() {
+        // avoid "string repackaging"
+        return MetroConfigLoader.class.getName().startsWith("com." + "sun.xml.internal.ws");
+    }
+
     private static class MetroConfigUrlLoader extends ResourceLoader {
 
         Container container; // TODO remove the field together with the code path using it (see below)