This is only relevant when running under a security manager.

When doing a JNDI lookup the getReference() call to obtain the underlying value should be done in a clean access control context, so the privileges of the caller code to not affect the result of the lookup.

If it is intended that the caller code cannot lookup the bound object this should be enforced using name based JNDI permissions.