There is another which needs to be addressed. The URI protocol behind JNDI_CONFIGURATION_RESOURCE, you ultimately need to trust this protocol or allow only file://, but this is a different discussion.