JAAS and WebLogic 10.3: Granting specific codebase permissions to a JAR bundled within an EAR

Question

Here's my scenario:

I have a JAR within the APP-INF/lib of my EAR, to be deployed within WebLogic 10g Release 3 against which I wish to grant specific permissions.

e.g.,

grant codebase "file:/c:/somedir/my.jar" {
  permission java.net.SocketPermission "*:-","accept,connect,listen, resolve";
  permission java.net.SocketPermission "localhost:-","accept,connect,listen,resolve";
  permission java.net.SocketPermission "127.0.0.1:-","accept,connect,listen,resolve";
  permission java.net.SocketPermission "230.0.0.1:-","accept,connect,listen,resolve";
  permission java.util.PropertyPermission "*", "read,write";
  permission java.lang.RuntimePermission "*";
  permission java.io.FilePermission "<<ALL FILES>>","read,write,delete";
  permission javax.security.auth.AuthPermission "*";
  permission java.security.SecurityPermission "*";
};

Questions:

1. Where is the best place to define this grant - in the java.policy of the JRE, WL server's weblogic.policy, or within a XML packaged within the EAR

2. How do I define the codebase URL to the JAR? The examples I have seen have an explicit reference to the JAR on the file system, however I am deploying the JAR packaged up within an EAR.

Thanks!