AccessController works with the java.security.Policy implementation to securely process application requests. In JS2E, a typical checkPermission(Permission p) method call on the AccessController class might result in the following sequence:
The AccessController invokes the getPermisisons() method of the javax.security.auth policy passing in the subject and the code source.
The getPermissions() method returns a PermissionCollection class instance, which represents a collection of same types of permissions.
The elements() method of the returned PermissionCollection gets called, which returns an enumeration of the permissions held in this PermissionCollection.
For each of the permissions returned in the enumeration (in step 3), the perm.newPermissionCollection() method gets called to obtain the PermissionCollection used to store the permission.
PermissionCollection.add(perm) gets called by the J2SE internal code to store the permission in its PermissionCollection.
The AccessController calls the implies(Permission p) method of the PermissionCollection returned in step 2.
Once the implies() of PermissionCollection is called, it in turn triggers the calling of implies(Permission p) of the individual permission objects contained in the PermissionCollection . These methods return true if the current permission object in the collection implies the specified permission; the methods return false the current permission object in the collection does not imply the specified permission. This outcome is implementation dependent and can be changed.