GMSClient.java

        AccessControlContext acContext = AccessController.getContext();
        Subject subject = Subject.getSubject(acContext);

        // only consult cache if the userID is of the calling subject
        if (userIsSubject(userID, subject))
        {
            Set<GroupMemberships> gset = subject.getPrivateCredentials(GroupMemberships.class);
            if (gset == null || gset.isEmpty())
            {
                GroupMemberships mems = new GroupMemberships(serviceID.toString(), userID);
                subject.getPrivateCredentials().add(mems);
                return mems;
            }
            GroupMemberships mems = gset.iterator().next();

            // check to ensure they have the same service URI
            if (!serviceID.toString().equals(mems.getServiceURI()))
            {
                log.debug("Not using cache because of differing service URIs: " +
                    "[" + serviceID.toString() + "][" + mems.getServiceURI() + "]");
                return null;
            }

            return mems;
        }
        return null; // no cache
    }

    protected Group getCachedGroup(Principal userID, String groupID, Role role)
    {
        List<Group> groups = getCachedGroups(userID, role, false);
        if (groups == null)
            return null; // no cache
        for (Group g : groups)
        {
            if (g.getID().getName().equals(groupID))
                return g;
        }
        return null;
    }
    protected List<Group> getCachedGroups(Principal userID, Role role, boolean complete)
    {
        GroupMemberships mems = getGroupCache(userID);
        if (mems == null)
            return null; // no cache

        Boolean cacheState = mems.isComplete(role);
        if (!complete || Boolean.TRUE.equals(cacheState))
            return mems.getMemberships(role);

        // caller wanted complete and we don't have that
        return null;
    }

    protected void addCachedGroup(Principal userID, Group group, Role role)
    {
        GroupMemberships mems = getGroupCache(userID);
        if (mems == null)
            return; // no cache

        mems.add(group, role);
    }

    protected void setCachedGroups(Principal userID, List<Group> groups, Role role)
    {
        GroupMemberships mems = getGroupCache(userID);
        if (mems == null)
            return; // no cache

        mems.add(groups, role);
    }

    protected boolean userIsSubject(Principal userID, Subject subject)
    {
        if (userID == null || subject == null)
        {
            return false;
        }

        for (Principal subjectPrincipal : subject.getPrincipals())
        {
            if (AuthenticationUtil.equals(subjectPrincipal, userID))
            {
                return true;
            }
        }
        return false;
    }

    protected RegistryClient getRegistryClient()
    {
        return new RegistryClient();
    }

    /**
     * Lookup the Service URL for the given standard.  The current AuthMethod
     * will be taken into account.
     *
     * @param standard  The URI standard to look up.
     * @return          URL for the service.
     * @throws AccessControlException       If the URL cannot be found for the
     *                                      provided AuthMethod.
     */
    private URL lookupServiceURL(final URI standard)
            throws AccessControlException
    {
        Subject subject = AuthenticationUtil.getCurrentSubject();
        AuthMethod am = getAuthMethod(subject);
        
        URL serviceURL = getRegistryClient().getServiceURL(this.serviceID, standard, am);
        
        // now that we have a URL we can check if the cookie will actually be sent to it
        if (AuthMethod.COOKIE.equals(am))
        {
            try
            {
                boolean domainMatch = false;
                String domain = NetUtil.getDomainName(serviceURL);
                for (SSOCookieCredential cc : subject.getPublicCredentials(SSOCookieCredential.class))
                {
                    if (cc.getDomain().equals(domain))
                        domainMatch = true;
                } 
                if (!domainMatch)
                {
                    throw new AccessControlException("no SSOCookieCredential for domain " + domain);
                }
            }
            catch(IOException ex)
            {
                throw new RuntimeException("failure checking domain for cookie use", ex);
            }
        }
        
        if (serviceURL == null)
        {
            throw new RuntimeException(
                    String.format("Unable to get Service URL for '%s', '%s', '%s'",
                                  serviceID.toString(), standard, am));
        }
        
        return serviceURL;
    }
    
    private AuthMethod getAuthMethod(Subject subject)
    {
        if (subject != null)
        {
            // web services use CDP to load a proxy cert so prefer that
            X509CertificateChain privateKeyChain = X509CertificateChain.findPrivateKeyChain(
                    subject.getPublicCredentials());
            if (privateKeyChain != null)
                return AuthMethod.CERT;
            
            // ui applications pass cookie(s) along
            Set sso = subject.getPublicCredentials(SSOCookieCredential.class);
            if ( !sso.isEmpty() )
            {
                return AuthMethod.COOKIE;
            }
            
            // AuthMethod.PASSWORD not supported
            // AuthMethod.TOKEN not supported
            throw new AccessControlException("No valid public credentials.");
        }
        else
        {
            throw new AccessControlException("Anonymous access not supported.");
        }
    }
}