grant codebase "file:/-" {
    permission java.util.PropertyPermission "jmx.wait", "read";
    permission java.util.PropertyPermission "jmx.rmi.port", "read";
    permission java.net.SocketPermission "*", "accept,connect,resolve";
    permission java.security.SecurityPermission "*";

    // Attribute Caption: allow get everywhere
    // ==================

    // allow getAttribute(*:*,Caption) in all MBeanServers
    permission javax.management.MBeanPermission "#Caption", "getAttribute";
    // allow getAttribute(*:*,Caption) in all namespaces recursively.
    permission javax.management.namespace.JMXNamespacePermission "Caption",
               "getAttribute";

    // Attribute Mood: allow get only in MBeanServers named rmi*
    // ===============

    // allow to get attribute Mood of Wombat MBeans only in namespaces
    // whose name match rmi*, wherever they are.
    // for this we need two permissions:
    permission javax.management.namespace.JMXNamespacePermission
               "*::Mood[**//rmi*//wombat:*]",
               "getAttribute";
    permission javax.management.namespace.JMXNamespacePermission
               "*::Mood[rmi*//wombat:*]",
               "getAttribute";

    // allow to get attribute mood in any MBeanServer whose name starts with
    // rmi
    permission javax.management.MBeanPermission "rmi*::#Mood",
               "getAttribute";

    // Attribute UUID:
    // ===============

    // allow to get attribute "UUID" everywhere.
    permission javax.management.namespace.JMXNamespacePermission
               "*::UUID[*//**//:*]",
               "getAttribute";
    permission javax.management.MBeanPermission
               "#UUID[*//:*]",
               "getAttribute";



    // Let getMBeanInfo and queryNames through everywhere...
    //
    permission javax.management.namespace.JMXNamespacePermission "[]",
               "getMBeanInfo,queryNames";
    permission javax.management.MBeanPermission "*",
               "getMBeanInfo,queryNames";

    // special permission for all wombats:
    //
    permission javax.management.namespace.JMXNamespacePermission
               "[**//*:type=Wombat,*]",
               "getObjectInstance,isInstanceOf,queryMBeans";
    permission javax.management.MBeanPermission "[*:type=Wombat,*]",
               "getObjectInstance,isInstanceOf,queryMBeans";

    // allow JMXNamespace::getDefaultDomain
    permission javax.management.namespace.JMXNamespacePermission
               "*::DefaultDomain",
               "getAttribute";

    // These permissions are required to connect visualvm.
    //
    permission javax.management.MBeanPermission "default::[java.lang:*]",
               "getObjectInstance,isInstanceOf,getAttribute,getMBeanInfo,queryNames,queryMBeans";
    permission javax.management.MBeanPermission "root::",
               "isInstanceOf,queryNames,queryMBeans,getAttribute,getMBeanInfo,getObjectInstance,getDomains";
    permission javax.management.namespace.JMXNamespacePermission
               "[**//JMImplementation:type=MBeanServerDelegate]",
               "addNotificationListener,removeNotificationListener,isInstanceOf,queryNames,queryMBeans,getAttribute,getMBeanInfo,getObjectInstance";
    permission javax.management.MBeanPermission
               "javax.management.MBeanServerDelegate",
               "addNotificationListener,removeNotificationListener,isInstanceOf,queryNames,queryMBeans,getAttribute,getMBeanInfo,getObjectInstance";

    // Thread monitoring
    permission java.lang.management.ManagementPermission "monitor";
    permission javax.management.MBeanPermission "*::sun.management.*#*[java.lang:*]", "invoke";
};