What does a Security Manager do
In fact, the standard behavior is for the Java Virtual Machine to examine, not only the calling code, but all methods on the stack, for the appropriate permissions. This strategy prevents untrusted code from using trusted code for its own nefarious purposes. However, the same strategy could prevent trusted code from accomplishing security sensitive activities without granting suitable permissions to any code that calls the trusted code. The loophole that gets around this problem is the ability to wrap security sensitive method calls in a "privileged block" which prevents the JVM from proceeding up the stack. In other words, the code in the privileged block can employ its granted permissions even if the calling code does not have those same permissions.