The current implementation of ProtectionDomain.implies() performs separate
implies() checks on the ProtectionDomain's static permissions and the global
Policy object (if appropriate). It is not semantically correct to separate the
two implies checks--rather, the two sets of permissions should be combined in a
single PermissionCollection on which implies() is called. The result of
calling implies() individually on the static permissions and policy permissions
may not always result in proper "collective implies" behavior for permission
sets bifurcated between the two groupings.

For example, suppose the class loader assigns the SocketPemission to the origin
server with the "connect" action and policy assigns SocketPermission to the
same server with the "accept" action. In this case, during a security check for
the combined actions the check would fail when clearly the combined permissions
have been granted.

One solution would be for the Policy to assume responsibility for tracking
static permissions; ProtectionDomain.implies() would then delegate directly to
Policy.implies() (with no intermediate checks of its own).