With security manager enabled, ProtectionDomainCache.create() throws a NullPointerException if ProtectionDomain.getPermissions() returns null.

The javadoc for that method says that it can return null.