The MIDP security model needs to be explained in 2 parts:
The phone (or the emulator) contains a security policy.
The security policy is made of several domains.
each domain defines function groups and root certificates.
a function group decides which protection options (auto agree always, user agree always, user agree once...) are available in the domain for which protected API (i.e. messaging).
The domain that applies to your MIDlet depends on which of the root certificates trusts the certificate you signed your MIDlet with.
Your problem is that there is a mismatch between what you think the protection options should be for the API you want in the domain you think your MIDlet belongs too and what is actually defined in the emulator security policy.
EDIT:
how-to for WTK-based emulators:
There are 3 _policy.txt*
files in the ${netbeans_installation_folder}mobility8WTK2.5.2j2mewtk_templateappdb
folder.
They each contain a list of "alias" definitions and a list of "domain" definitions.
Make every domain have the same content as the "maximum" domain.
After this, Your emulator will never again ask for any user permission.
If you have already used the emulator contained in Netbeans, you probably want to make the same changes to the ${netbeans_installation_folder}mobility8WTK2.5.2appdb
folder.