[zebraman]

"This isn’t the case in a language like Java, where access to the outside world is mixed in with other functionality."

That's why there is a SecurityManager: https://docs.oracle.com/javase/tutorial/essential/environmen... that - if anything - is extremely granular.

[tonyg]

The SecurityManager is an example of ambient authority, exactly the kind of design that the article is criticizing.

There's at most one SecurityManager per application, meaning you can't in general use it for fine-grained confinement. It's only "granular" in the sense that requested permissions can be arbitrarily finely subdivided. There's no notion of intra-application invocation contexts, making it vulnerable to "confused deputy" problems, including things like the event-stream incident.

[dtribble]

This is the clearest simple summary I have seen of this limitation of SecurityManager (and other such security monitors). Thanks!