Spec-only change. We cannot change the JDK so that it starts checking permissions even if there is no SecurityManager, at least not by default, since that would be incompatible. We could provide another mechanism to ask for permission checks, but that is the subject of another RFE.
The most important outcome of this change would be that independent implementations could provide alternative mechanisms to ask for permission checks to be made. Also, alternative MBeanServer implementations plugged in via the MBeanServerBuilder mechanism could make checks and remain compatible with the specification of the MBeanServer interface.
Change this sentence in the Javadoc for MBeanServer:
"First, if there is no security manager (System.getSecurityManager() is null), then no checks are made."
"First, if there is no security manager (System.getSecurityManager() is null), then an implementation of this interface is free not to make any checks."
Likewise, in the security chapter of the JMX spec, change this:
"The security checks described in this chapter are only performed when there is a security manager. That is, if System.getSecurityManager() returns null, then no checks are performed."
"The security checks described in this chapter must be performed when there is a security manager. That is, if System.getSecurityManager() does not return null, then authorization checks must be performed. An implementation of the MBeanServer interface is free to perform the checks even if there is no security manager but it is not required to."