The default sandbox is essentially unchanged between 1.2 and 1.3. In 1.2, there is no prohibition against defining classes in the java package.

In Java 1.1, the default sandbox is very different. The 1.1 sandbox is determined solely by the security manager installed by the Java program; although it is possible to write a security manager that allows end users and administrators to configure different security policies, few programs followed that course. For most Java applications, this meant that no security manager was ever installed, and the program ran with complete permissions. Java applets run through the appletviewer and early, 1.1-based versions of the Java Plug-in are subject to strict, nonconfigurable restrictions. Using the signing tool of 1.1 (javakey), it is possible to sign Java applets; these applets can then be given permission to perform any operation. However, the 1.1-based signing infrastructure has been deprecated, and an applet signed with javakey will not be given any special permissions in Java 2.

If you need to understand the 1.1 default sandbox, see Chapter 4 for a discussion of the security manager. Appendix D, shows how you can build a 1.1 application to run other Java applications with a security policy that you’ve written yourself.