The point of Subject.doAs
is to change the Subject
of the current AccessControlContext
(acc). It should not change permissions. The API docs of doAs
say "using the retrieved context", and if you look at the source code, it is combining the acc from AccessController.getContext
with the subject.
In fact, the acc needs to be privileged for the call to succeed.
The problem with is large sections of code running with elevated permissions is that it is opposed to the Principle of Least Privilege. There is an increased chance that somewhere an adversary can slip in some malicious operation.