the approach you took (i.e., using the dash will cover all modules of the app), but your other question concerning different app versions (which will not share a common root distinct form other apps) is not something that is easy to do.
we have plans to allow permission grants tp be defined in jars, but that is a bit down the road.
I would like to be able to say that if you signed your jars, you could grant the perms to all jars given a particular signer, but I don't think the Glassfish application class loader will assign the signers to the protection domains of the loaded classes, and thus signer based grants will not match the protection domains.
when an app is deployed to glassfish, we write module specific policy files under generate/policy/appname/modulename/granted.policy. The good news is that the hgrants defined in these files only apply to the app,. The bad news is that they are regerated every time you redeploy the app. that said, you could put your grants in these policy files, in which case you need not be so precise about to whom you are granting the permissions since the grants will only be in effect for your app.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=274647