@Override
 protected Group[] getRoleSets() throws LoginException {
   SimpleGroup roles = new SimpleGroup("Roles");
   Group[] roleSets = {roles};
   for (Role role : access.getUser().getRoles()) {
     roles.addMember(new SimplePrincipal(role.getName()));
   }
   return roleSets;
 }
  @Override
  protected boolean login(Request request, HttpServletResponse response) throws LoginException {
    String tokenHeader = request.getHeader("X-Auth-Signed-Token");
    if (tokenHeader == null) return false; // throw new LoginException("No X-Auth-Signed-Token");
    // if we don't have a trust store, we'll just use the key store.
    KeyStore keyStore = null;
    if (domain != null) {
      if (domain instanceof SecurityDomain) {
        keyStore = ((SecurityDomain) domain).getKeyStore();
      } else if (domain instanceof JSSESecurityDomain) {
        keyStore = ((JSSESecurityDomain) domain).getKeyStore();
      }
    }
    if (keyStore == null) throw new LoginException("No trust store found");
    X509Certificate certificate = null;
    try {
      certificate = (X509Certificate) keyStore.getCertificate(skeletonKeyCertificateAlias);
    } catch (KeyStoreException e) {
      throw new LoginException("Could not get certificate from keyStore");
    }
    try {
      PKCS7SignatureInput input = new PKCS7SignatureInput(tokenHeader);
      if (input.verify(certificate) == false) throw new LoginException("Bad Signature");
      access = (Access) input.getEntity(Access.class, MediaType.APPLICATION_JSON_TYPE);

    } catch (LoginException le) {
      throw le;
    } catch (Exception e) {
      throw new LoginException("Bad Token");
    }

    if (access.getToken().expired()) {
      throw new LoginException("Token expired");
    }
    if (!projectId.equals(access.getToken().getProject().getId())) {
      throw new LoginException("Token project id doesn't match");
    }

    this.loginOk = true;
    return true;
  }
 @Override
 protected Principal getIdentity() {
   Principal principal = new UserPrincipal(access.getUser());
   return principal;
 }