According to the SUN J2SE documentation http://java.sun.com/j2se/1.4.2javase/6/docs/api/java/lang/SecurityManager.html
"The security manager is a class that allows applications to implement a security policy. It allows an application to determine, before performing a possibly unsafe or sensitive operation, what the operation is and whether it is being attempted in a security context that allows the operation to be performed. The application can allow or disallow the operation."
...
By default, the SecurityManager checkPermission method(s) forward all calls to the java.security.Accesscontroller.checkPermission. Sometimes it is required to perform checks against a different context than the currently executing threads' context. This can be done using the checkPermission(Permission perm, Object context) method which takes an extra argument (like AccessControlContext) as the context of the desired thread.
| Wiki Markup |
|---|
The document \[[Policy 02|AA. Java References#Policy 02]\] discusses writing policy files in |
depth. |
Risk Assessment
Running Java code without a Security Manager being set means that there is no security at all.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[SecurityAPI 06|AA. Java References#SecurityReferences#API 06]\] [Default Policy Implementation and Policy File SyntaxClass SecurityManager|http://java.sun.com/javase/6/docs/technotesapi/guidesjava/securitylang/PolicyFilesSecurityManager.html] \[[Policy 02|AA. Java References#Policy 02]\] \[[Pistoia 04|AA. Java References#Pistoia 04]\] Section 7.4, The Security Manager \[[Gong 03|AA. Java References#Gong 03]\] Section 6.1, Security Manager |