A special case of the HandleBodyPattern, used when an explicit access check should be performed before allowing access to some security-sensitive object. The handle object checks for the client's access permission before allowing methods to be executed on the body object. How the handle object determines whether the client should have access depends on the security model being used. In an AccessControlList model, the permissions of the client are presumably carried implicitly by the call (this is vulnerable to the ConfusedDeputyProblem). In a CapabilitySecurityModel, this pattern can be implemented by having the client present an unsealer object (SealerUnsealerPattern). This means that the handle has a different interface to the body, but is less vulnerable to the ConfusedDeputyProblem. ProtectionProxy is superficially similar to CaretakerPattern. However, in CaretakerPattern the handle object does not do any access checks that depend on the current client; it only checks whether access has been revoked. If separate revocation is needed for different clients, they would be given different caretakers. CapabilityOrientedProgramming generally discourages use of ProtectionProxy''''s, in favour of CaretakerPattern and limiting the initial distribution of capabilities (PrincipleOfLeastAuthority). ---- CategorySecurityPatterns