Test scenario:
FX app trys to access a host http://kgb.us.oracle.com in multiple threads. And this domain is allowed since cross domain xml file has <allow-access-from domain="*" secure="true"> element for this app.
But with 8u20-b16, app fail to connect to http://kgb.us.oracle.com duet to: java.security.AccessControlException: access denied ("java.net.SocketPermission" "kgb.us.oracle.com:80" "connect,resolve")

ENV: win7/x86 and x64/jre8u20-b16
Steps to reproduce:
     1) Import self.valid.cert to JCP-Security-"Manage Certificates"-"Singer CA" to have a valid cert: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/FXCrossDomain/lib/self.valid.cert
     2) Launch a fx app that setting crossdomain file by specified runtime args java_vm_args=-Djnlp.altCrossDomainXMLFiles=http://kgb.us.oracle.com/CrossDomainSetup/GOOD_XML_ALLOWED/crossdomain.xml in jnlp:
        javaws http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/FXCrossDomain/jnlp/testFXCrossDomainMultiThreads.jnlp
     3) The contents in crossdomain file http://kgb.us.oracle.com/CrossDomainSetup/GOOD_XML_ALLOWED/crossdomain.xml:
        <cross-domain-policy>
            <allow-access-from domain="*" secure="true"/>
            <allow-http-request-headers-from domain="*" headers="Authorization,X-HTTP-Method-Override" secure="true"/>
        </cross-domain-policy>
     4) In this app, it trys to access "http://kgb.us.oracle.com" in multiple threads
     5) A warning dialog will show up. Accept it
     6) If "Test FAILed" shows up(this meas connecting to "http://kgb.us.oracle.com" fails), then this bug is reproduce. The following exception will show up In log:
network: Connecting http://kgb.us.oracle.com/ with proxy=DIRECT
Connection fail to: http://kgb.us.oracle.com/ due to java.security.AccessControlException: access denied ("java.net.SocketPermission" "kgb.us.oracle.com:80" "connect,resolve")
java.security.AccessControlException: access denied ("java.net.SocketPermission" "kgb.us.oracle.com:80" "connect,resolve")
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkConnect(Unknown Source)
	at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
	at sun.plugin2.applet.FXAppletSecurityManager.checkConnect(Unknown Source)
	at sun.net.www.http.HttpClient.openServer(Unknown Source)
	at sun.net.www.http.HttpClient.<init>(Unknown Source)
	at sun.net.www.http.HttpClient.New(Unknown Source)
	at sun.net.www.http.HttpClient.New(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
	at deploy.sqe.TestFXCrossDomainMultiThreads$ConnectionThread.makeConnection(TestFXCrossDomainMultiThreads.java:90)
	at deploy.sqe.TestFXCrossDomainMultiThreads$ConnectionThread.run(TestFXCrossDomainMultiThreads.java:82)

Expected results: "Test PASSed" should show up. This means connecting to "http://kgb.us.oracle.com" succeeds

SRC:
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/FXCrossDomain/src/TestFXCrossDomainMultiThreads.java

Note: above app will succeed with jre8u5-b13