When javax.script API is used to evaluate a (string) script, the script does not get the default permissions given to any code. The same is true when "jjs" is run in interactive mode under security manager. {code} import javax.script.*; public class Main { public static void main(String[] ar) throws ScriptException { ScriptEngineManager m = new ScriptEngineManager(); ScriptEngine e = m.getEngineByName("nashorn"); System.out.println(e.eval("java.lang.System.getProperty('java.version')")); } } {code} results in security exception (it should not). Another example: jjs -J-Djava.security.manager jjs> java.lang.System.getProperty("java.version") java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")