Custom classic plugin plugin-security.policy - cannot access external REST

I have this in my plugin-security.policy:

grant {
  permission java.net.SocketPermission "*", "connect,resolve,accept,listen";

The file is "picked up" by the plugin installer, as it is warning me about other required permissions (which I eventually added).
When I run this processor in a pipeline, it is giving me this:

"""access denied ("java.net.SocketPermission" "control-plane-gateway-xxxxxx.dev:443" "connect,resolve

I've looked at all the policy files I could find in the code base. Nothing seems to work.
I have also tried to add permissions in code, but due to the deprecation warning, I gave up on that avenue.
Any helpful comments?

It's hard to debug without seeing your code, but the most likely cause is that you haven't wrapped your socket access in a doPrivileged block.

The rests of the ES codebase does not have socket permissions, so under Java's stack based security model, your code cannot open a socket if it has been called by code that lacks permission to open sockets.

The builtin GeoIP module can be used as an example:

• elasticsearch/modules/ingest-geoip/src/main/java/org/elasticsearch/ingest/geoip/HttpClient.java at main · elastic/elasticsearch · GitHub
• elasticsearch/modules/ingest-geoip/src/main/plugin-metadata/plugin-security.policy at main · elastic/elasticsearch · GitHub

Thank you.
I came to the same conclusion.
I'll use the ClientBuilder and post the results.

Thanks for the hint.
I created an ```InputStream post(String urlToGet, String method, String authorization, String content_type, String body, Map<String,String> parameters) throws IOException {

```    InputStream get(String urlToGet) throws IOException {
        return doPrivileged(() -> {
``` in the HttpClient.java file from the GeoIP plugin. 
Works.
Now if I can only get the plugin to read the config file. with the REST security settings.