Java APIs

I've been developing a web application that gets deployed in Apache Tomcat 6, running Java 6 Update 31. There is a requirement to include a module that will simply listen to incoming TCP traffic on port X for future processing. Everything was working great until we went to enable the Java Security Manager (an IA requirement).

Once it was enabled, we started getting AccessControlExceptions, but this was expected, since nothing in our policy file was explicitly allowing this traffic. So, I added the following lines to Tomcat's "catalina.policy" file (where 54321 is the port the app is listening on):

grant {
permission java.net.SocketPermission "*:54321", "accept, resolve";
};

However, we were still seeing AccessControlExceptions, such as:

java.security.AccessControlException: access denied (java.net.SocketPermission 192.168.1.50:1527 accept,resolve)

Looking at that error line, I noticed that "192.168.1.50" is in fact the IP of the client, so "1527" must be the client-side port for the socket. This is verified by the fact that this port changes each time this is attempted...

So, my question is: why does my web application need to care about the client port? My understanding is that outgoing connections simply use arbitrary/random ports. It seems to me that on my side, with respect to this policy file, I should only need to specify the ports I want to listen to. However, the only way I can get this to work is if I change "54321" to "*" in the above permission line, thereby opening the JVM up to the world.

Am I misunderstanding something about the syntax here? How can I make sure that my application accepts connections from ANY host, from ANY client-side port, on server port 54321?

Thanks,
Doug