Subject.doAs(null, action) in a context where there is already an executing subject does not set the executing subject to null; it leaves the currently executing subject as the executing subject. As a result, more permissions are granted than expected, opening up a security hole.

Execute the attached test program with the attached security policy.