...
This noncompliant code example shows a snippet of a custom class loader that extends the class URLClassLoader. It overrides the getPermissions() method and does not call the superclass's more restrictive getPermissions() method. Note that URLClassLoader's getPermissions() method calls the Policy class's getPermissions() method which by default, uses the global system-wide policy file to enforce access control. Consequently, a class defined using the custom class loader has permissions that are completely independent of those specified in the system-wide policy file and in effect, the class's permissions override them.
...