I've started reading the docs for the security API, and I'm quite confused. The docs seem to suggest that permissions are granted per class (or per group of classes in a ProtectionDomain), but another source I was studying suggests permissions are granted per thread. Is it both?

Here's my situation: I'm writing an application that loads user-supplied plugins from a specified URL. Those plugins must subclass one of two classes, PassiveScript or ActiveScript. They may reference other user-supplied classes in the same URL classpath. The methods of passive scripts will be invoked in one of my application's threads. Active scripts will run in their own thread. I'm not terribly concerned about controlling the plugins' access to system resources. For the most part, allowing access is actually desirable. The main thing I want to prevent is the use of reflection to gain access to private fields and methods of PassiveScript and ActiveScript. So if I could prevent any class loaded by my URL class loader from using reflection, regardless of what thread the code is running in, that would be ideal. Is that possible?