Created attachment 30328 [details] Patch to fix the problem With 2 JSP on including the other with <jsp:include page="blabla" flush="true"/> you get: java.lang.RuntimePermission accessClassInPackage.org.apache.coyote.http11 when calling the jsp the first time subsequent requests are working.
Created attachment 30329 [details] Simple webapp to show the problem extract jar in webapp start tomcat bin/catalina.sh start -security curl -v curl -v http://localhost:8080/smtest/test.jsp error curl -v curl -v http://localhost:8080/smtest/test.jsp ok
Created attachment 30336 [details] patch on SecurityClassLoad
Patch applied to 6.0.x. This will be included in 6.0.38 onwards.