Configuration of maximum-permissions attribute in /subsystem=security-manager/deployment-permissions=default doesn't work so the permissions for deployments can't be restricted.
(The "policy of the product installation" in the words of EE specification is not enforced).
If administrator specifies maximum-permissions in server configuration and also permissions.xml in the deployment, all permissions from the permissions.xml are granted even if the policies are in conflict.
The maximum-permissions configuration has following meaning:
A set containing the maximum permission scope that can be granted to deployments or jars
The Java EE 7 platform specification (JSR 342) says in section EE.126.96.36.199:
If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module.
- based on EE spec the deployment should fail
- deployed application should not get more permissions than specified in the maximum-permissions