My group has implemented a number of Service MBeans and I need to apply a granular authorization policy to them.
The MBeanServer API documentation seems to support this well ...
For the invoke method, the caller's permissions must imply MBeanPermission(className, operationName, name, "invoke").
For the getAttribute method, the caller's permissions must imply MBeanPermission(className, attribute, name, "getAttribute").
You need to run with a security manager, specify a policy configuration that uses subject based permissions, and then encapsulate the MBean access in Subject.doAs(...) blocks.
Alternatively, you could add a custom security interceptor to your mbeans by deploying them as XMBeans.