please read the block post more carefully. It describes how the effective policy comes from multiple policy files. in particular pay particular attention to the part that starts with:
"When the Glassfish application server starts up, it establishes the default policy context by merging the contents of the server.policy file, with the contents of all of the files identified via policy url's in $JAVA_HOME/jre/lib/security/java.security...
you must check all of the files defined in java.security and the server.policy file, and the granted.policy file (that you have already checked) for an unqulaified grant of allPermission.
In my experience the unqualified grant is usually in one of the following files
$J2EE_HOME/domains/domainx/config/server.policy
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=320853