Sensitive operations must be protected by security manager checks. Refer to guideline rule ENV02-J. Create a secure sandbox using a Security Manager to learn about the importance of performing security checks and limiting code to a secure sandbox.
...
This compliant solution shows the single argument checkPermission() method and allows files in the local directory with the dtd extension to be read. DTDPermission is a custom permission that enforces this level of access. (See guideline rule SEC10-J. Define custom security permissions for fine grained security for details on creating custom permissions). Even if the java.io.FilePermission is granted to the application with the action "read", DTD files will be subject to additional access control.
...
Search for vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Bibliography
...