Currently the default security manager in the JDK is not very useful when tracing out permission failures. It is verbose and very very difficult to pin-point the protection domain (and the codesource) which is the cause of the permission failure.