The following section discusses which permissions should be granted to Derby (the code base derby.jar).
See Default Policy Implementation and Policy File Syntax at http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html for more information about creating policy files.
Mandatory. It allows Derby to execute SQL queries and supports loading class files from jar files stored in the database.
Allows Derby to read individual Derby properties set in the JVM's system set. If the action is denied, properties in the JVM's system set are ignored.
Allows Derby to manage files within the database that maps to the directory specified. For read-only databases, only the "read" action needs to be granted.
Allows Derby to determine the system directory when set by db2j.system.home and create it if needed. If the system directory already exists then only the "read" permission needs to be granted.
Permits access to the system directory value if derby.system.home is not set or no permission has been granted to read the derby.system.home property.
Allows Derby to read the system properties file from the system directory.
or
Only one of these permissions is needed. Permits the application to read, write, and delete to the Derby log file, unless the log has been re-directed. (See the derby.stream.error properties in Tuning Derby for more information.) If one of the requested valid actions is denied, the Derby log will be java.lang.System.err.
You might grant one FilePermission that encompasses several, or all, of the permissions described below, instead of separately granting a number of the more specific permissions.
For example:
Allows the Derby engine complete access to the system directory and any databases contained in the system directory.