6.4. Java Security Policy Statements

A policy file specifies permissions to modules and deployed applications. Permissions are applied to deployed applications via the VFS protocol. See the following Oracle Java SE documentation page Default Policy Implementation and Policy File Syntax for further information at http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html
The following is an example of policy statements.
// Grant all to the jboss-modules.jar
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
  permission java.security.AllPermission;

// Standard extensions get all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
	permission java.security.AllPermission;

// Grant read PropertyPermission for all properties to a deployed EJB application
grant codeBase "vfs:/content/ejb-app.jar" {
  permission java.util.PropertyPermission "*", "read";

// Grant read FilePermission for all files to a web application
grant codeBase "vfs:/content/myapp.war/-" {
  permission java.io.FilePermission "/-", "read";


On Microsoft Windows Server, when specifying a FilePermission statement including a file path in a string, not a codeBase URL, you must replace single backslash characters with two backslash characters. This is because when file paths are parsed, a single backslash is interpreted as an escape character.
Module permissions are defined in module.xml (version 1.2 or higher). The following example demonstrates specifying module permissions.
<module xmlns="urn:jboss:module:1.2" name="org.jboss.custom.module">
  <grant permission="java.io.FilePermission" name="/-" actions="read"/>
  <grant permission="java.io.FilePermission" name="/-" actions="read"/>

  <resource-root path="custom-module.jar" />

If there is no <permissions/> element, then AllPermission permission is granted to the module. If there is an empty <permissions/> element, then no permission is granted.