diff --git a/WHATSNEW b/WHATSNEW
index 2f5f8b8ba..7d95d12c9 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -27,6 +27,11 @@ Changes that could break older environments:
   volumes can still be specified without an intervening separator.
   UNC pathnames on Windows must include a server and share name, i.e.
   "\\a\b" to be considered valid absolute paths.
+  
+* The <java fork="false"> now as per default installs a security manager
+  using the default permissions. This is now independent of the 
+  failonerror attribute.
+  Bugzilla report 33361.
 
 Fixed bugs:
 -----------
diff --git a/docs/manual/CoreTasks/java.html b/docs/manual/CoreTasks/java.html
index 7f6d85ffb..7d2b4ed1b 100644
--- a/docs/manual/CoreTasks/java.html
+++ b/docs/manual/CoreTasks/java.html
@@ -239,10 +239,13 @@ see <a href="../CoreTypes/permissions.html">permissions</a></p>
 <p>When the permission RuntimePermission exitVM has not been granted (or has
 been revoked) the System.exit() call will be intercepted
 and treated like indicated in <i>failonerror</i>.</p>
-<p><a name="failonerror">Note:</a>
-if you specify <code>failonerror=&quot;true&quot;</code> and you do not specify permissions,
-a set of default permissions will be added to your Java invocation to make sure that
-a non-zero return code will lead to a <code>BuildException</code>.
+<p>Note:<br/>
+If you do not specify permissions,
+a set of default permissions will be added to your Java invocation to make 
+sure that the ant run will continue or terminated as indicated by
+<i>failonerror</i>. All permissions not granted per default will be 
+checked by whatever security manager was already in place. exitVM will be
+disallowed.
 </p>
 <p>Settings will be ignored if fork is enabled.</p>
 
diff --git a/src/main/org/apache/tools/ant/taskdefs/Java.java b/src/main/org/apache/tools/ant/taskdefs/Java.java
index 903fa3035..11081426d 100644
--- a/src/main/org/apache/tools/ant/taskdefs/Java.java
+++ b/src/main/org/apache/tools/ant/taskdefs/Java.java
@@ -36,7 +36,6 @@ import org.apache.tools.ant.types.Assertions;
 import org.apache.tools.ant.types.Permissions;
 import org.apache.tools.ant.types.RedirectorElement;
 import org.apache.tools.ant.taskdefs.condition.Os;
-import org.apache.tools.ant.util.JavaEnvUtils;
 import org.apache.tools.ant.util.KeepAliveInputStream;
 
 /**
@@ -117,7 +116,8 @@ public class Java extends Task {
      * Do the execution and return a return code.
      *
      * @return the return code from the execute java class if it was
-     * executed in a separate VM (fork = "yes").
+     * executed in a separate VM (fork = "yes") or a security manager was 
+     * installed that prohibits ExitVM (default).
      *
      * @throws BuildException if required parameters are missing.
      */
@@ -168,7 +168,7 @@ public class Java extends Task {
                 log("bootclasspath ignored when same JVM is used.",
                     Project.MSG_WARN);
             }
-            if (perm == null && failOnError) {
+            if (perm == null) {
                 perm = new Permissions(true);
                 log("running " + this.cmdl.getClassname()
                     + " with default permissions (exit forbidden)", Project.MSG_VERBOSE);