I just went through this tutorial:
http://java.sun.com/docs/books/tutorial/security/tour2/index.html
And was curios about the basic concept of JAAS... If every applcation needs to be run with the '-Djava.security.manager -Djava.security.policy=...' flags, what is enforcing security? Is it up to the end user to know when any Java application is being run, and modify the executable/script/whatever to include those flags? Or, how does a developer enforce that an application is run with the security manager enabled?
The whole concept doesnt seem very functional to me - as it is by default not enabled... Am I missing something?