JS engine security manager needs to check permission source

[warriordog]

I cheated when writing the JS security manager by having it check if the call originated in the JSExecutor class, and if so verify that it was a whitelisted permission. However this opens the door for a compromised JS environment to be able to perform any of the whitelisted actions, including reflection and classloaders (why does something built into java need that?). This will also replace the long process of scanning the stack trace with a single check.