First to contrast with Java I note the similarity of object references to capabilities. Security sensitive matters, however, are supposed by the designers of the Java libraries, to be handled by a security policy module. By contrast, Keykos, can hold to the simple and efficient rule that holding a capability is necessary and sufficient to invoke it.
The AS/400 has a concept of “authorized capabilities” in contrast to unauthorized ones. The process of authorizing a capability is slow when necessary, and involves the patterns that cause security problems in Unix.