Just for curiosity, I tried tomee with jdk14 (upgrading xbean). I found out that
the java.security.acl package is removed from jdk14
(https://bugs.openjdk.java.net/browse/JDK-8191138 ) and
java.security.acl.Group is referenced in AbstractSecurityService (I don't
know if it is used somewhere else).
I've tried to patch it making AbstractSecurityService.Group implement Principal
instead of java.security.acl.Group and everything works, at least in my
environment, but I don't know about other setups.