Permissions checking in public static methods is needed for Common Criteria certification. com.arjuna.webservices11.ServiceRegistry#getRegistry method has to have such checking.
Pull request with this fix was merged to JBossTS and will be available once JBossTS 4.17.19.Final is released.
Tom Jenkinson <email@example.com> updated the status of jira JBTM-2076 to Closed
EAP 6.3.0.ER4 contained this fix as Narayana 4.17.19.Final was there.
I've checked this in EAP 6.3.0.GA (org/jboss/xts/main/jbossxts-4.17.21.Final-redhat-2.jar) by decompiling the java classes as we do not have tests for checking security manager on all classes.