This doesn't look like it has anything to do with policy files, you would usually get an AccesControlException (or something like that) if that were the case. From the Java doc:
An IllegalAccessException is thrown when an application tries to reflectively create an instance (other than an array), set or get a field, or invoke a method, but the currently executing method does not have access to the definition of the specified class, field, method or constructor.
In other words: you (or the library) is trying to access a method that is (probably) marked "private". You'll have to work around this in your code. See for example:
But note that the permission mentioned there (java.lang.reflect.ReflectPermission suppressAccessChecks) doesn't look like something we're going to include in our policy file.
I seems there is a problem in Thymeleaf/OGNL. See also this link.
A solution is to call OgnlRuntime.setSecurityManager(null); first before using Thymeleaf.