Sorry I did not explain the whole thing in my previous response.
I also checked the server.policy from the J2EE_HOME and I have the two policy.url.x parameters you are saying.
But the ${java.home}/lib/security/java.policy is the default one and grant only stuff like:
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};
grant {
permission java.lang.RuntimePermission "stopThread";
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
...snip...
permission java.util.PropertyPermission "java.vm.name", "read";
};
So nothing related to web ressource.
And no users have .java.policy file.
In fact the system is a fresh lab install to test Sun Portal. Except the installer for application server, access manager and portal server, nobody change anything to the system. So for me it's strange that the admin console of the application server don't ask credentials. I did nothing to have that. It's like a "out of the box" feature.
[Message sent by forum member 'vvlier' (vvlier)]
http://forums.java.net/jive/thread.jspa?messageID=320950