Here is a sample customized Java security policy file.
grant codeBase "file:///Users/me/javadb/lib/derby.jar" { // // These permissions are needed for everyday, embedded Derby usage. // permission java.lang.RuntimePermission "createClassLoader"; permission java.util.PropertyPermission "derby.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "derby.storage.jvmInstanceId", "write"; permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals"; // The next two properties are used to determine if the VM is 32-bit // or 64-bit. permission java.util.PropertyPermission "sun.arch.data.model", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.io.FilePermission "/Users/me/derby/dummy","read"; permission java.io.FilePermission "/Users/me/derby/dummy${/}-", "read,write,delete"; // // This permission lets a DBA reload the policy file while the server // is still running. The policy file is reloaded by invoking the // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure. // permission java.security.SecurityPermission "getPolicy"; // // This permission lets you back up and restore databases // to and from arbitrary locations in your file system. // // This permission also lets you import/export data to and from // arbitrary locations in your file system. // // You may want to restrict this access to specific directories. // permission java.io.FilePermission "/Users/me/derby/dummy/backups/-", "read,write,delete"; // imports/exports permission java.io.FilePermission "/Users/me/derby/dummy/imports/-", "read,write,delete"; // jar files of user-written functions and procedures permission java.io.FilePermission "/Users/me/derby/dummy/jars/-", "read,write,delete"; // // Permissions needed for JMX based management and monitoring, which is // available only for JVMs that support "platform management", that is, // Java SE 5.0 or above. // // Allows this code to create an MBeanServer: // permission javax.management.MBeanServerPermission "createMBeanServer"; // // Allows access to Derby's built-in MBeans, within the domain // org.apache.derby. Derby must be allowed to register and unregister // these MBeans. It is possible to allow access only to specific // MBeans, // attributes, or operations. To fine-tune this // permission, see the API documentation of // javax.management.MBeanPermission or the JMX Instrumentation and // Agent Specification. // permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]", "registerMBean,unregisterMBean"; // // Trusts Derby code to be a source of MBeans and to register these in // the MBean server. // permission javax.management.MBeanTrustPermission "register"; // getProtectionDomain is an optional permission needed for printing // classpath information to derby.log. permission java.lang.RuntimePermission "getProtectionDomain"; // // The following permission must be granted for // Connection.abort(Executor) to work. Note that this permission must // also be granted to outer (application) code domains. // permission java.sql.SQLPermission "callAbort"; // Needed by file permissions restriction system. permission java.lang.RuntimePermission "accessUserInformation"; permission java.lang.RuntimePermission "getFileStoreAttributes"; // This permission is needed to connect to the LDAP server in order // to authenticate users. // permission java.net.SocketPermission "127.0.0.1:1389", // "accept,connect,resolve"; }; grant codeBase "file:///Users/me/javadb/lib/derbynet.jar" { // // This permission lets the Network Server manage connections from // clients. // // Accept connections from any host. Derby is listening to the host // interface specified via the -h option to "NetworkServerControl // start" on the command line, via the address parameter to the // org.apache.derby.drda.NetworkServerControl constructor in the API // or via the property derby.drda.host; the default is localhost. // You may want to restrict allowed hosts, e.g. to hosts in a specific // subdomain, e.g. "*.example.com". permission java.net.SocketPermission "localhost:0-", "accept"; // // Needed for server tracing. // permission java.io.FilePermission "/Users/me/derby/dummy/traces${/}-", "read,write,delete"; // Needed by file permissions restriction system. permission java.lang.RuntimePermission "accessUserInformation"; permission java.lang.RuntimePermission "getFileStoreAttributes"; permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine", "read, write"; // JMX: Needed to boot MBeans permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals"; // JMX: Uncomment this permission to allow the ping operation of the // NetworkServerMBean to connect to the Network Server. //permission java.net.SocketPermission "*", "connect,resolve"; // // Needed by sysinfo. The file permission is needed to check the // existence of jars on the classpath. You can limit this permission to // just the locations that hold your jar files. // // In this template file, this block of permissions is granted to // derbynet.jar under the assumption that derbynet.jar is the first jar // file in your classpath that contains the sysinfo classes. If that is // not the case, then you will want to grant this block of permissions // to the first jar file in your classpath that contains the sysinfo // classes. Those classes are bundled into the following Derby jar // files: // // derbynet.jar // derby.jar // derbyclient.jar // derbytools.jar // permission java.util.PropertyPermission "user.*", "read"; permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.runtime.version", "read"; permission java.util.PropertyPermission "java.fullversion", "read"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.io.FilePermission "/Users/me/javadb/lib/-", "read"; };