If you start the Network Server without specifying a security manager, the Network Server installs a default Java security manager that enforces a Basic policy.
You are strongly encouraged to customize this policy to fit the security needs of your application and its runtime environment.
You may also run the Network Server without a security manager, although this is not recommended. Without a security manager in place, the Network Server should not be deployed in such a manner as to allow for connections from untrusted networks. A firewall or other security tool should be used in such a scenario.
A firewall or other security tool is also good practice in addition to running the Network Server with a carefully-written security policy file.
The default policy is used if you boot the Network Server as your VM's entry point, using a command like the following:
java org.apache.derby.drda.NetworkServerControl start ...
Some of your application code may run as procedures and functions that you have declared using the CREATE PROCEDURE and CREATE FUNCTION statements. You will need to add privileged blocks to your declared procedures and functions if they perform sensitive operations, such as file and network I/O, classloading, system property reading, and the like.
The Network Server attempts to install a security manager only if you start the server as the entry point of your VM. The Network Server will not attempt to install a security manager if you start the server from your application using the programmatic API described in "Starting the Network Server from a Java application" in the Derby Server and Administration Guide.