As of now jdk.dynalink module has AllPermission in standard bundled security policy ( java.policy ). We need to revisit it and reduce permission set if possible.