Page History

...

Note that the policy file specified in the argument is ignored when the policy.allowSystemProperty property in the security properties file (java.security) is set to false; the default value of this property is true. " Default Policy Implementation and Policy File Syntax " [Policy 2010] discusses in depth the issues of and syntax for writing policy files.

...

try {
  System.setSecurityManager(null);
} catch (SecurityException se) {
  // Cannot set security manager, log to file
}

Note An active SecurityManager that if a SecurityManager were already active when this code is invoked, it would probably enforces a sensible security policy will prevent the system from removing deactivating it, causing this code to throw a SecurityException.

...

This compliant solution demonstrates how to instantiate a custom SecurityManager class called CustomSecurityManager  by invoking its constructor with a password; this custom security manager is then installed as the active security manager.

char password[] = /* initialize */
try {
  System.setSecurityManager(
    new CustomSecurityManager("password here")
  );
} catch (SecurityException se) {
  // Cannot set security manager, log appropriately
}

...

Java security fundamentally depends on the existence of a security manager. In its absence, sensitive actions can execute and break the sandbox security offered by Javawithout restriction.

Programmatic detection of the presence or absence of a SecurityManager at runtime is straightforward. Static analysis can address the presence or absence of code that would attempt to install a SecurityManager if the code were executed. Checking whether the SecurityManager is installed early enough, whether it specifies the desired properties, or whether it is guaranteed to be installed may be possible in some special cases but is not feasible in full generalitygenerally undecidable.

Bibliography

...