problem is in com.sun.deploy.cache.CachedJarFile, method getManifest().
The first call to getManifest will trigger lazy initialization of manRef, which is a SoftReference to the manifest object for the JAR.
However, after we did the initialization, we did not return the manifest, but just return null. Therefore the first call to getManifest will return null.
In URLClassLoader.defineClass, it will see if the JAR has manifest and determine whether to definePackage with just the pkgname or with the pkgname, url and manifest. In this case, first time manifest we got is null, so definePackage is called with pkgname only. Next time the same package loads again, the manifest will be found, but the pkg is not sealed by definePackage, hence we get the sealing violation exception.