The server.policy is an obsolete and unused file unless you specifically refer to it in your security manger configuration of the jvm.
Could you please elaborate how JBoss works with security manager? or no need to use security.policy at all? What is the recommend approach followed in production deployments? I see that this is somewhat different compared to other application servers.
Instead of confusing J2EE security with the Java Security Manager (as anil did), or making up completely nonsense comments(like scott did), maybe JBoss should write a sensible server.policy that could be used in the real world where you want to use the Java 2 Security Model to restrict things like which Sockets can be opened, which classes can be loaded by which other classes...
If you don't know how to do it, you can read about it on Weblogic documentation