The default policy for each domain limits the permissions of J2EE deployed applications to the minimal set of permissions required for these applications to operate correctly. If you develop applications that require more than this default set of permissions, you can edit the server.policy file to add the custom permissions that your applications need.
You should add the extra permissions only to the applications that require them, not to all applications deployed to a domain. Do not add extra permissions to the default set (the grant block with no codebase, which applies to all code). Instead, add a new grant block with a codebase specific to the application requiring the extra permissions, and only add the minimally necessary permissions in that block.
Do not add java.security.AllPermission to the server.policy file for application code. Doing so completely defeats the purpose of the security manager, yet you still get the performance overhead associated with it.
As noted in the J2EE specification, an application should provide documentation of the additional permissions it needs. If an application requires extra permissions but does not document the set it needs, contact the application author for details.
As a last resort, you can iteratively determine the permission set an application needs by observing AccessControlException occurrences in the server log. If this is not sufficient, you can add the -Djava.security.debug=fail JVM option to the domain. For details, see the Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Administration Guide or the Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Administration Reference.
You can use the J2SE standard policytool or any text editor to edit the server.policy file. For more information, see:
For detailed information about the permissions you can set in the server.policy file, see:
The Javadoc for the Permission class is at: