...
After this code executes, APIs that perform security checks use the custom security manager. As noted earlier, custom security managers should be installed only when the default security manager lacks the required functionality.
Applicability
All Java security heavily depends on the existence of a SecurityManagersecurity manager.In the its absence of a SecurityManager, arbitrary code can execute, which can include code provided by an attacker, sensitive actions can execute and break the sandbox security offered by Java.
Programmatic detection of the presence or absence of a SecurityManager at runtime is straightforward. Static analysis can address the presence or absence of code that would attempt to install a SecurityManager if the code were executed. Checking whether the SecurityManager is installed early enough, specifies the desired properties, or is guaranteed to be installed may be possible in some special cases but is not feasible in full generality.
...