The java.security.debug permission=<classname> and codebase=<URL> options do not work. These
options are used with the stack/domain options (see sun.security.util.Debug source code for
more info).
There is a bug in sun.security.util.Debug.marshal - it doesn't properly parse out the permission/codebase names and they always get parsed into lower case so they never match against what the user specifies.
According to my test, when use the "," as separator, the denbug options work, the permission and codebase URL could be properly parsed. However, because a URL maybe contains a ",", need to evaluate the effect of "," in a URL.