String[] authParts = getAuthorizationParts(m);
String authScheme = authParts[0];
String authSchemeData = authParts[1];
// Get the access token
AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData);
// Find the scopes which match the current request
List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
HttpServletRequest req = getMessageContext().getHttpServletRequest();
for (OAuthPermission perm : permissions) {
boolean uriOK = checkRequestURI(req, perm.getUris());
boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
if (uriOK && verbOK) {
matchingPermissions.add(perm);
}
}
if (permissions.size() > 0 && matchingPermissions.isEmpty()) {
String message = "Client has no valid permissions";
LOG.warning(message);
throw new WebApplicationException(403);
}
// Create the security context and make it available on the message
SecurityContext sc = createSecurityContext(req, accessTokenV);
m.put(SecurityContext.class, sc);
// Also set the OAuthContext
OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(),
accessTokenV.getClientSubject(),
matchingPermissions,
accessTokenV.getTokenGrantType());
oauthContext.setClientId(accessTokenV.getClientId());
oauthContext.setTokenKey(accessTokenV.getTokenKey());
oauthContext.setTokenAudience(accessTokenV.getAudience());
m.setContent(OAuthContext.class, oauthContext);
}