I don't understand what you mean by doing some JACC work. You can get the Policy via the standard java.security.Policy.getPolicy accessor provided you have the correct permission. This Policy will be the JACC provider Policy. JACC specific permissions will be handled by the installed policy implementation. Non-JACC permissions will be forwared to the Policy that existed when the JACC Policy provider was installed.
I think I'd better reread the specs docs to get a better understanding.
General question about JBoss's current implementation. If I set up the JBoss server according to the Wiki, does this mean that JACC uses the server.policy as its default policy?
No, the current implementation has nothing to do with the base vm security policy other than delegating to it for non-JACC permissions. There is no requirement to run with a security manager and establish the java2 permissions for the application. The allowed permissions are derived from the deployment and user roles assigned to the users via JAAS.
In future implementation the overloading of JAAS to obtain the authorization roles from the athentication step will be removed. It will not be using the vm java2 permisson policy files as the source of the permission assigments though.