grant {
    permission java.util.PropertyPermission "*", "read,write";
    permission java.net.SocketPermission "*:*", "listen,resolve,accept,connect";
    permission java.io.FilePermission "/-", "read";
    permission java.io.FilePermission "*", "read,write,delete";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission javax.security.auth.AuthPermission "doAs";
    permission javax.security.auth.AuthPermission "getSubject";
    permission javax.security.auth.AuthPermission
                    "createLoginContext.server_star";
    permission javax.security.auth.AuthPermission
                    "createLoginContext.server_multiple_principals";
    permission javax.security.auth.AuthPermission "modifyPrincipals";
    permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab java.security.Principal \"krb5.keytab.data\"", "read";

    // clients have a permission to use all service principals
    permission javax.security.auth.kerberos.ServicePermission "*", "initiate";

    // server has a service permission
    // to accept only service1 and service3 principals
    permission javax.security.auth.kerberos.ServicePermission
                    "host/service1.localhost@TEST.REALM", "accept";
    permission javax.security.auth.kerberos.ServicePermission
                    "host/service3.localhost@TEST.REALM", "accept";
};