...
The security manager is a class that allows applications to implement a security policy. It allows an application to determine, before performing a possibly unsafe or sensitive operation, what the operation is and whether it is being attempted in a security context that allows the operation to be performed. The application can allow or disallow the operation.
A security manager may be associated with any Java code.
The applet security manager denies applets all but the most essential privileges. It is designed to protect inadvertent system modification, information leakage, and user impersonation. The use of security managers is not limited to client-side protection. Web servers, such as Tomcat and WebSphere, use this facility to isolate trojan servlets and malicious Java Server Pages (JSP) code as well as to protect sensitive system resources from inadvertent access.
For Java applications that run from the command line, a default or custom security manager can be set using a special flag. Alternatively, it is possible to install a security manager programmatically. Installing a security manager this way helps create a default sandbox that allows or denies sensitive actions on the basis of the security policy in effect.
...
This noncompliant code example fails to install the security manager from the command line. Consequently, the program runs with all permissions enabled; eg. that is, there is no security manager to restrict any nefarious actions the program might perform.
...