diff --git a/openjpa-kernel/src/main/java/org/apache/openjpa/datacache/DataCacheScheduler.java b/openjpa-kernel/src/main/java/org/apache/openjpa/datacache/DataCacheScheduler.java
index 99de5c9bd..316c085f4 100644
--- a/openjpa-kernel/src/main/java/org/apache/openjpa/datacache/DataCacheScheduler.java
+++ b/openjpa-kernel/src/main/java/org/apache/openjpa/datacache/DataCacheScheduler.java
@@ -18,6 +18,7 @@
  */
 package org.apache.openjpa.datacache;
 
+import java.security.AccessController;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.Calendar;
@@ -28,6 +29,7 @@ import java.util.StringTokenizer;
 
 import org.apache.openjpa.conf.OpenJPAConfiguration;
 import org.apache.openjpa.lib.log.Log;
+import org.apache.openjpa.lib.util.J2DoPrivHelper;
 import org.apache.openjpa.lib.util.Localizer;
 import org.apache.openjpa.lib.util.concurrent.ConcurrentHashMap;
 import org.apache.openjpa.util.InvalidStateException;
@@ -97,7 +99,9 @@ public class DataCacheScheduler
         _caches.put(cache, schedule);
         _stop = false;
         if (_thread == null) {
-            _thread = new Thread(this, _loc.get("scheduler-name").getMessage());
+            _thread = (Thread) AccessController
+                .doPrivileged(J2DoPrivHelper.newThreadAction(this, _loc.get(
+                    "scheduler-name").getMessage()));
             _thread.setDaemon(true);
             _thread.start();
             if (_log.isTraceEnabled())
diff --git a/openjpa-kernel/src/main/java/org/apache/openjpa/util/ProxyManagerImpl.java b/openjpa-kernel/src/main/java/org/apache/openjpa/util/ProxyManagerImpl.java
index 97aeb1f94..f8325dfef 100644
--- a/openjpa-kernel/src/main/java/org/apache/openjpa/util/ProxyManagerImpl.java
+++ b/openjpa-kernel/src/main/java/org/apache/openjpa/util/ProxyManagerImpl.java
@@ -26,6 +26,7 @@ import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 import java.sql.Timestamp;
 import java.util.ArrayList;
@@ -438,7 +439,7 @@ public class ProxyManagerImpl
      * Return the cached factory proxy for the given bean type.
      */
     private ProxyBean getFactoryProxyBean(Object orig) {
-        Class type = orig.getClass();
+        final Class type = orig.getClass();
         if (isUnproxyable(type))
             return null;
 
@@ -449,7 +450,12 @@ public class ProxyManagerImpl
                 ProxyBean.class);
             Class pcls = loadBuildTimeProxy(type, l);
             if (pcls == null) {
-                BCClass bc = generateProxyBeanBytecode(type, true);
+                BCClass bc = (BCClass) AccessController
+                    .doPrivileged(new PrivilegedAction() {
+                        public Object run() {
+                            return generateProxyBeanBytecode(type, true);
+                        }
+                    });
                 if (bc != null)
                     pcls = GeneratedClasses.loadBCClass(bc, l);
             }
@@ -1601,7 +1607,7 @@ public class ProxyManagerImpl
             })); 
         }
 
-        ProxyManagerImpl mgr = new ProxyManagerImpl();
+        final ProxyManagerImpl mgr = new ProxyManagerImpl();
         Class cls;
         BCClass bc;
         for (int i = 0; i < types.size(); i++) {
@@ -1623,8 +1629,15 @@ public class ProxyManagerImpl
                 bc = mgr.generateProxyDateBytecode(cls, false);
             else if (Calendar.class.isAssignableFrom(cls))
                 bc = mgr.generateProxyCalendarBytecode(cls, false);
-            else
-                bc = mgr.generateProxyBeanBytecode(cls, false);
+            else {
+                final Class fCls = cls;
+                bc = (BCClass) AccessController
+                    .doPrivileged(new PrivilegedAction() {
+                        public Object run() {
+                            return mgr.generateProxyBeanBytecode(fCls, false);
+                        }
+                    });
+            }
 
             System.out.println(bc.getName());
             bc.write(new File(dir, bc.getClassName() + ".class"));
diff --git a/openjpa-lib/src/main/java/org/apache/openjpa/lib/util/J2DoPrivHelper.java b/openjpa-lib/src/main/java/org/apache/openjpa/lib/util/J2DoPrivHelper.java
index 32cb35f1e..f3269e11c 100644
--- a/openjpa-lib/src/main/java/org/apache/openjpa/lib/util/J2DoPrivHelper.java
+++ b/openjpa-lib/src/main/java/org/apache/openjpa/lib/util/J2DoPrivHelper.java
@@ -81,6 +81,7 @@ import serp.bytecode.Project;
  * <li>Socket.accept
  * <li>System.getProperty
  * <li>Thread.getContextClassLoader
+ * <li>Thread new
  * <li>TemporaryClassLoader new
  * <li>URL.openStream
  * <li>URLConnection.getContent
@@ -788,6 +789,23 @@ public abstract class J2DoPrivHelper {
         };
     }
 
+    /**
+     * Return a PrivilegedAction object for new Thread().
+     * 
+     * Requires security policy:
+     *   'permission java.lang.RuntimePermission "modifyThreadGroup";'
+     * 
+     * @return Thread
+     */
+    public static final PrivilegedAction newThreadAction(
+        final Runnable target, final String name) {
+        return new PrivilegedAction() {
+            public Object run() {
+                return new Thread(target, name);
+            }
+        };
+    }
+
     /**
      * Return a PrivilegedExceptionAction object for url.openStream().
      *