The naming subsystem defines the JndiPermission permission class that gives the impression that it could be potentially used to secure the access to various parts of the JNDI tree. This is not true though because that permission is not enforced.

(It is enforced in the InMemoryNamingStore but that implementation of the naming store is not used inside a running AS7 instance (it seems to be a default for testing purposes).

Having this ability would greatly simplify the situation where some application (like RHQ/JBoss ON) allows user-defined scripts to be executed in a running server but wants to restrict access to JNDI tree to those scripts (so that the scripts for example cannot access the database by looking up the datasource and thus circumvent any authz within the application that was given to the scripts).