...
This noncompliant code example shows a snippet of a custom class loader that extends the class URLClassLoader. It overrides the getPermissions method and thus avoids the use of the default (does not call the superclass's more restrictive ) getPermissions method defined in URLClassLoader. Note that URLClassLoader's getPermissions() method calls the Policy class's getPermissions() method which by default, uses the system policy file to enforce access control. Therefore, a class defined using the custom class loader will have permissions that are completely independent of those specified in the system-wide policy file and will override them.
...