Java is a programming language. It is important to remember that Java is intended to be used for both stand alone applications and Applets that are executed by Java enabled Web Browsers. Thus, the discussion here of Java security is really a discussion of the intended use of the Java language as providing a mechanism for executable content.
The Java approach to providing executable content is to have Web Browsers with an embedded Java interpreter and runtime library. These Web Browsers can download Java programs called Applets, and have the Java interpreter execute the program. With this model, there are three fundamental layers: the Java language itself, the standard set of Java libraries, and the Web Browser itself. The security of the system depends fundamentally on the security of each of these three layers.