The new SecureIOThreadFactory method in org.apache.tomcat.websocket.AsyncChannelWrapperSecure sets the context class loader of the secure websocket client threads to it's own standard class loader - thus preventing the them from accessing webapp resources. Removing this line restores access, as the new threads then have the classloader of the calling (webapp) thread
Sorry. That was me being overly cautious about memory leaks. The threads will be stopped when the connection is closed so there should not be the possibility of a memory leak. This has been fixed in 7.0.x for 7.0.56 onwards and in 8.0.x for 8.0.11 onwards.