A two-level mechanism is also provided by Java to reduce the rights of a process when it executes downloaded code. Access control for a process that allows code to be dynamically downloaded into it needs to distinguish between local and downloaded code and provide restricted rights to downloaded code to ensure, for instance, that it does not destroy or leak the contents of local data. Two approaches have been used to restrict access of dowloaded Java applets. One approach relies on the fact that separate class loader objects are used to load local and remote code and that the stack frame of each method points to the object that loaded it. As a result, when a protected method is called, the browser can provide restricted access if the stack contains a method that was called (directly or indirectly) by downloaded code.
The other approach relines on the fact that the loader can determine the name space of downloaded code. It creates restrictive proxy classes for the protected classes, and makes sure that downloaded code sees the proxy classes instead of the protected classes.
The protected methods are essentially at a more priveleged ring than other methods. Local code can be considered to reside at the priveleged level while downloaded code at the regular level. When a process executes downloaded code, its ring level is essentially reduced to the regular level. No ring number is actually kept with a process, instead the stack or name space is used to record the privilege level. Similarly, no ring number is kept with methods. The division between protected and non protected methods is hardcoded. In the stack introspection method, the hardcoding is done by ensuring the method checkPrivilege() is called before the method is executed. In the name space approach, the hardcoding is done by defining proxy classes for protected methods.