JAAS tutorial - how to force application to run with policy

I just went through this tutorial:

htt开发者_运维知识库p://java.sun.com/docs/books/tutorial/security/tour2/index.html

And was curios about the basic concept of JAAS... If every applcation needs to be run with the '-Djava.security.manager -Djava.security.policy=...' flags, what is enforcing security? Is it up to the end user to know when any Java application is being run, and modify the executable/script/whatever to include those flags? Or, how does a developer enforce that an application is run with the security manager enabled?

The whole concept doesnt seem very functional to me - as it is by default not enabled... Am I missing something?

This code should work:

// Set policy
System.setProperty("java.security.policy", "PATH_TO_POLICY_FILE");
// Enable security manager
System.setSecurityManager(new SecurityManager());