Based on your comments, I've concluded that we should stop checking the JVM-wide security policy in 3.0 for the reason you state. It would be best not to create a potential dependency on the JVM configuration. This woukd be in line with what we did in 2.8 with JAAS: even though we still use JAAS LoginModules for authentication, they are configured entirely in JSPWiki and not via the JRE. Makes sense to do the same with the security policy.
+1
Not sure whether that should be done in 2.8.2 though. Maybe rather 3.0. /Janne
