Index: src/java/org/datanucleus/query/QueryUtils.java
===================================================================
--- src/java/org/datanucleus/query/QueryUtils.java	(revision 2320)
+++ src/java/org/datanucleus/query/QueryUtils.java	(working copy)
@@ -24,6 +24,8 @@
 import java.lang.reflect.Modifier;
 import java.math.BigDecimal;
 import java.math.BigInteger;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.text.CharacterIterator;
 import java.text.StringCharacterIterator;
 import java.util.ArrayList;
@@ -49,6 +51,9 @@
     protected static final Localiser LOCALISER=Localiser.getInstance(
         "org.datanucleus.Localisation", ObjectManagerFactoryImpl.class.getClassLoader());
 
+    /** Convenience Class[] for parameter types in getMethod call. */
+    protected static Class[] classArrayObjectObject = new Class[]{Object.class, Object.class};
+
     /**
      * Utility to return if the passed result class is a user-type, and so requires fields matching up.
      * @param className the class name looked for 
@@ -239,7 +244,7 @@
      * @param value The value to apply
      * @return Whether it was updated
      */
-    private static boolean setFieldForResultObject(Object obj, String fieldName, Field field, Object value)
+    private static boolean setFieldForResultObject(final Object obj, String fieldName, Field field, Object value)
     {
         boolean fieldSet = false;
 
@@ -330,7 +335,13 @@
             else if (m == null)
             {
                 // Find a method with the right name and a single arg and try conversion of the supplied value
-                Method[] methods = obj.getClass().getDeclaredMethods();
+                Method[] methods = (Method[])AccessController.doPrivileged(new PrivilegedAction() 
+                {
+                    public Object run() 
+                    {
+                        return obj.getClass().getDeclaredMethods();
+                    }
+                });
                 for (int i=0;i<methods.length;i++)
                 {
                     Class[] args = methods[i].getParameterTypes();
@@ -417,16 +428,19 @@
      * @param resultClass The result class
      * @return The put(Object, Object) method
      */
-    public static Method getPublicPutMethodForResultClass(Class resultClass)
+    public static Method getPublicPutMethodForResultClass(final Class resultClass)
     {
-        String putMethodName = "put";
-        Method m = ClassUtils.getMethodForClass(resultClass, putMethodName, new Class[]{Object.class, Object.class});
-
-        if (m != null && Modifier.isPublic(m.getModifiers()))
+        return (Method)AccessController.doPrivileged(new PrivilegedAction() 
         {
-            return m;
-        }
-        return null;
+            public Object run() 
+            {
+                try {
+                    return resultClass.getMethod("put", classArrayObjectObject);
+                } catch (NoSuchMethodException ex) {
+                    return null;
+                }
+            }
+        });
     }
 
     /**
Index: src/java/org/datanucleus/jdo/JDOPersistenceManagerFactory.java
===================================================================
--- src/java/org/datanucleus/jdo/JDOPersistenceManagerFactory.java	(revision 2320)
+++ src/java/org/datanucleus/jdo/JDOPersistenceManagerFactory.java	(working copy)
@@ -21,6 +21,8 @@
 import java.io.IOException;
 import java.io.ObjectOutputStream;
 import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Hashtable;
@@ -33,6 +35,7 @@
 import javax.jdo.PersistenceManager;
 import javax.jdo.PersistenceManagerFactory;
 import javax.jdo.listener.InstanceLifecycleListener;
+import javax.jdo.spi.JDOImplHelper;
 import javax.naming.Context;
 import javax.naming.Name;
 import javax.naming.Reference;
@@ -47,6 +50,7 @@
 import org.datanucleus.exceptions.NucleusException;
 import org.datanucleus.metadata.PersistenceUnitMetaData;
 import org.datanucleus.metadata.TransactionType;
+import org.datanucleus.state.JDOStateManagerImpl;
 import org.datanucleus.util.ClassUtils;
 import org.datanucleus.util.NucleusLogger;
 import org.datanucleus.util.StringUtils;
@@ -290,6 +294,16 @@
         omfContext.setApi(api); // Set the API used by the context
         setOptions(ApiAdapterFactory.getInstance().getApiAdapter(api).getDefaultFactoryProperties());
 
+        // Register the StateManager class with JDOImplHelper for security
+        AccessController.doPrivileged(new PrivilegedAction() 
+        {
+            public Object run() 
+            {
+                JDOImplHelper.registerAuthorizedStateManagerClass(JDOStateManagerImpl.class);
+                return null;
+            }
+        });
+
         // Generate the properties to apply to the PMF
         Map pmfProps = new HashMap();