SkeletonKeyToken.Access access = token.addAccess(resource.getName());
for (String role : scope.get(res))
{
if (!scopeMapping.getRoles().contains(role))
{
throw new ForbiddenException(Response.status(403).entity("<h1>Security Alert</h1><p>Known client not authorized for the requested scope.</p>").type("text/html").build());
}
if (!roleMapping.getRoles().contains(role))
{
throw new ForbiddenException(Response.status(403).entity("<h1>Security Alert</h1><p>You are not authorized for the requested scope.</p>").type("text/html").build());
}
access.addRole(role);
if (roleMapping.getSurrogateIds() != null && roleMapping.getSurrogateIds().size() > 0)
{
throw new NotImplementedYetException(); // don't support surrogates yet
}
}
}
}
else
{
ScopeMapping mapping = identityManager.getScopeMapping(realm, client);
if (mapping == null || !mapping.getRoles().contains("login"))
{
throw new ForbiddenException(Response.status(403).entity("<h1>Security Alert</h1><p>Known client not authorized to request a user login.</p>").type("text/html").build());
}
token = createAccessToken(user, realm);
}
return token;
}