@Override public void session(Set<Principal> principals, Set<Object> attributes) throws AuthenticationException { Set<Role> allowedRoles = allAuthorizedRoles(principals); Set<Role> desiredRoles = principals.stream() .filter(DesiredRole.class::isInstance) .map(DesiredRole.class::cast) .map(DesiredRole::getName) .map(Role::new) .collect(Collectors.toSet()); Set<Role> unauthorizedRoles = Sets.difference(desiredRoles, allowedRoles) .copyInto(new HashSet<>()); if (!unauthorizedRoles.isEmpty()) { String description = unauthorizedRoles.size() == 1 ? unauthorizedRoles.iterator().next().toString() : unauthorizedRoles.stream().map(LoginAttribute::toString) .collect(Collectors.joining(",", "[", "]")); throw new AuthenticationException("unauthorized for " + description); } attributes.addAll(desiredRoles); Sets.difference(allowedRoles, desiredRoles).stream() .map(Role::getRole) .map(UnassertedRole::new) .forEach(attributes::add); }