That vm policy is unused. You have to specify the security manager and policy as part of the jvm options. I'm cleaning up some priviledged block usage for the 3.2.4 release so that j2ee components can run from a codebase with minimal permissions.
I have a problem of, maybe english, understanding: if you are cleaning up priviledged block usage you will end up with maximum of permissions, but minimum count of java.security permissions -> more less control ?
Am I wrong?
Or do you mean a minimal set of permissions?