Is it mandatory for me to instantiate a security manager within my RMI server?

Govind Seshadri

It is not mandatory to set a security manager for the use of Java/RMI. The reason to do this is so that the Java/RMI client can handle serialized objects for which the client does not have a corresponding class file in its local CLASSPATH. If the security manager is set to the RMISecurityManager, the client can download and instantiate class files from the Java/RMI server. This mechanism is actually fairly important to Java/RMI, as it allows the server to generate subclasses for any Serializable object and provide the code to handle these subclasses to the client.

It is entirely possible to use Java/RMI without setting the security manager, as long as the client has access to definitions for all objects that might be returned. Java/RMI's ability to handle the passing of any object at any time using Serialization and class file download is possible only because the JVM provides a portable and secure environment for passing around Java byte codes that form the Java executable from which Java objects can be reconstructed at run-time, if required. See http://www.execpc.com/~gopalan/misc/compare.html for more details.