Three main pieces of functionality are required to implement security for JavaScript. First, it must be possible to define classes with an associated security domain. (This security domain may be any object incorporating notion of access restrictions that has meaning to an embedding; for a client-side JavaScript embedding this would typically be java.security.ProtectionDomain or similar object depending on an origin URL and/or a digital certificate.) Next it must be possible to get a security domain object that allows a particular action only if all security domains associated with code on the current Java stack allows it. And finally, it must be possible to execute script code with associated security domain injected into Java stack.
These three pieces of functionality are encapsulated in the SecurityController class.