Because the notion of security in Java is pervasive, its implementation is equally pervasive. In this chapter, we’ve explored the security mechanisms that are built into the Java language itself. Essentially, at this level the security mechanisms are concerned with establishing a set of rules for the Java language that creates an environment where an object’s view of memory is well-known and well-defined, so that a developer can ensure that items in memory cannot be accidentally or intentionally read, corrupted, or otherwise misused. We also took a brief look at Java’s bytecode verifier, including why it is necessary, and why you should turn it on, even for Java applications.
It’s important to keep in mind that the purpose of these security constraints is to protect the user’s machine from a malicious piece of code and not to protect a piece of code from a malicious user. Java does not (and could not) prevent a user from acting on memory from outside the browser (with possibly harmful results).