We don't provide any advice about what permissions are required to run ij under a Java security manager.

server.policy grants derbytools.jar the permission to read several system properties. However, at startup ij tries to read all of the system properties. This happens in ij.jj in the initFromEnvironment() method. To call System.getProperties(), you need the following permission:

permission java.util.PropertyPermission "*", "read,write";

ij startup fails with this error trace:

Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252)
at java.lang.System.getProperties(System.java:581)
at org.apache.derby.impl.tools.ij.ij$1.run(ij.java:113)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(ij.java:111)
at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(utilMain.java:175)
at org.apache.derby.impl.tools.ij.Main.<init>(Main.java:244)
at org.apache.derby.impl.tools.ij.Main.getMain(Main.java:196)
at org.apache.derby.impl.tools.ij.Main.mainCore(Main.java:181)
at org.apache.derby.impl.tools.ij.Main.main(Main.java:75)
at org.apache.derby.tools.ij.main(ij.java:59)

Here are some ways to fix this problem:

1) Remove the whole block of permissions for derbytools.jar. Maybe those permissions don't belong in server.policy. Note that a similar block of permissions also appears in template.policy with a comment suggesting that they are sufficient for running the Derby tools.

2) Add to the derbytools block the missing permission.

3) Re-write initFromEnvironment() so that it reads only a few properties rather than all properties.