The default system policy file (in jre/lib/security/java.policy)
grants all permissions to standard extensions, as follows:

grant codeBase "file:${java.home}/lib/ext/*" {
        permission java.security.AllPermission;
};

This uses a hardcoded path to the extensions directory, but the user can change
the extensions directory by setting the "java.ext.dirs" system property.
When the user does that, the grant statement in the default policy is useless.

In 1.4, 4215035 was filed and this same problem was partially fixed.
The policy code was modified to accept ${java.ext.dirs} and treat it
appropriately. However, ${java.ext.dirs} is confusing because that's
the syntax of expanding any system property in place. ${java.ext.dirs}
can be used to indicate a list of directories. Also, the default policy
file was not changed.


The proposal is to define a new policy file general expansion protocol for "java.ext.dirs"
that has rules for how the protocol is to be treated. Also, update
the default policy file itself to use this new grant statement.

grant codebase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};

This will help plug-in support system-wide repositories in their migration
from MSVM without making any special policy/security changes. See discussion
in Comments section.