...
This noncompliant code example shows a snippet of a custom class loader that extends the class URLClassLoader. It overrides the getPermissions() method and does not call the superclass's more restrictive getPermissions() method. Note that URLClassLoader's getPermissions() method calls the Policy class's getPermissions() method which, by default, uses the global system-wide policy file to enforce access control. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the system-wide policy file; in effect, the class's permissions override them.
...
In this compliant solution, the overridden getPermissions() method calls super.getPermissions(). Thus, the default system-wide security policy is consulted, in addition to the custom policy.
...
Failure to consult the default system policy while defining a custom classloader violates the tenets of defensive programming and may can result in classes defined with unintended permissions.
...