Application policies can be declared in static XML files (e.g. login-config.xml) that are parsed by the security framework. We need to support the specification of ACL providers as part of an application policy, like the example bellow:

<policy>
<application-policy name="policy>
<authentication>
...
</authentication>
<acl>
<acl-module code="org.jboss.security.acl.ACLProviderImpl" flag="required">
<module-option name="persistenceStrategy">org.jboss.security.acl.JPAPersistenceStrategy</module-option>
</acl-module>
</acl>
...
</application-policy>
</policy>