A security manager is required for any VM that downloads executable (
Java) code from another source -- doesn't matter if it's a "client" or a "server," as these terms just describe the process' role in one relationship. If I have a program that is remotely available to a client, but also uses another program as a remote source, then that program is both a "server" and a "client," respectively.
Policies describe the actions allowed for each server codebase. Even if you're only going to load one stub from one RMI server, you need a policy for that. Even if you want to give all possible server sources all possible permissions, you need a policy that says that; it must be explicit.
------------------
Michael Ernest, co-author of:
The Complete Java 2 Certification Study Guide [This message has been edited by Michael Ernest (edited December 30, 2001).]