When a security manager is installed, by default the VM reads policy files specified in the VM installation's java.security file. By default this includes the following:

# The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy

The user can also specify a policy file to use via system property java.security.policy. A special behavior of the value of that system property is if it starts with "=" then the policy files specified in java.security are ignored, and only the file set via the java.security.policy system property are used.

For example, this disables the use of the defaults:

-Djava.security.policy==/Users/kabir/tmp/permit.policy

See http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html for full details.

The bug is the Host Controller process' Main class handles parsing of system properties such that the value of a system property whose value begins with "=" instead becomes null. This causes the specified property file to be ignored, likely leading to permission problems on the host's servers, e.g.:

[Server:server-one] Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission module.path write)
[Server:server-one]     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:376)
[Server:server-one]     at java.security.AccessController.checkPermission(AccessController.java:549)
[Server:server-one]     at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
[Server:server-one]     at java.lang.System.setProperty(System.java:741)
[Server:server-one]     at org.jboss.modules.Main.main(Main.java:148)