The collection returned by BasicPermission.newPermissionCollection does not correctly enforce homogeneity of its collection. The problem is that both the add and implies methods of BasicPermissionCollection simply check for instanceof BasicPermission, instead of checking for type equality with the original subclass of BasicPermission. As such, it is possible (for example) to add a NetPermission to a collection of RuntimePermission, and (worse) the collection will incorrectly say that RuntimePermission("*") implies NetPermission("foo").