SecurityManager

The Java Security was make up of ClassLoader, Class file inspection, Build-in security and securityManager.
the build-in security includes: safely type cast,structual memomry access,gc,bound check of array, null reference check.
the first three part can achieve a propose that ensure tha integrity of the running program and jvm instance. however, SecurityManager attempt to protect the outer resource from attacking by milicious code.
when a program start, it will point to a java.lang.SecurityManager or pass his subtype's instance to setSecurityManager(), to install the SecurityManager. is not so, the Java API can do anything without any restrict.before the version 1.2, java.lang.SecurityManager was a abstract class and now it is a concret class which supply the default implement.
SecurityManager permits user to define policy without code, via a file called policy file(ASIIC file). The permission is defined as a class extending from java.security.Permission, such as java.io.FilePermission to grant reading, writing, and excuting permission. when a SecurityManager is created, it will parse the policy file to generate the CodeSource and Permission Object, which are encapsuled in a single Policy Object, which represents a runtime policy. Anytime there will be only one Policy Object to be installed.

 when the check method of a SecurityManager is called, many of them will pass the requestion to a AccessControl Class. there are 28 different check method in the old version and there are two another added into after version 1.2, which are ckeckPermission(Permission) and checkPermission(Permission,Object).

there are a example of one policy file called policy.txt

keystore "ijvmkeys";

grant signedBy "friend" {
    permission java.io.FilePermission "question.txt", "read";
    permission java.io.FilePermission "answer.txt", "read";
};

grant signedBy "stranger" {
    permission java.io.FilePermission "question.txt", "read";
};

grant codeBase "file :${com.artima.ijvm.cdrom.home}/security/ex2/*" {
 permission java.io.FilePermission "question.txt", "read";
 permission java.io.FilePermission "answer.txt", "read";
};

it points out that if you use a jar package which was signatured by friend you can red the two files question.txt and answer.txt, otherwise if you are a stranger you can only read the question.txt.

the third paragraph means the policy file grant a read permission to the class file which location is in the ${com.artima.ijvm.cdrom.home}/security/ex2/