Book: How To Configure Server Security
When maximum-permissions attribute is not set in the security-manager subsystem. Then it defaults to java.security.AllPermission (i.e. unlimited permissions). This behavior has to be documented as users could expect the default to be an empty list of permissions (i.e. no permissions).
Suggestion for improvement:
Add a note into the section "5.2.1. Defining Policies in the Security Manager Subsystem" with information about the default. E.g.
If maximum-permissions attribute is not defined for /subsystem=security-manager/deployment-permissions then it's value defaults to java.security.AllPermission.