One of the nice features of the Java runtime environment is that it allows application
developers to configure fine-grained security policies for constraining Java code via
SecurityManagers. This in turn allows you to accept or
reject a program's attempt to shut down the JVM, access local disk files, or connect to
arbitrary network locations.
In the case of Java server software, turning on the security manager with a carefully configured security policy can ensure that malicious network clients cannot command the JVM to access anything that the administrator did not preapprove. For example, your security policy can dictate that your custom servlets are not allowed to access any files on the filesystem. This would make it impossible for an attacker to carefully craft requests to use those custom servlets to expose the contents of files on the server; the security manager would stop them even if the servlets didn't.