use apache shiro api for authentication over the BasicAuthenticationFilter

scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java

@@ -39,9 +39,14 @@ import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.subject.Subject;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import sonia.scm.security.ScmAuthenticationToken;
 import sonia.scm.user.User;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.HttpUtil;
@@ -82,15 +87,22 @@ public class BasicAuthenticationFilter extends HttpFilter
 
   //~--- constructors ---------------------------------------------------------
 
+  /**
+   * Constructs ...
+   * @since 1.21
+   */
+  public BasicAuthenticationFilter() {}
+
   /**
    * Constructs ...
    *
    *
    * @param securityContextProvider
+   * @deprecated use the constructor with out arguments instead.
    */
-  @Inject
+  @Deprecated
   public BasicAuthenticationFilter(
-          Provider<WebSecurityContext> securityContextProvider)
+    Provider<WebSecurityContext> securityContextProvider)
   {
     this.securityContextProvider = securityContextProvider;
   }
@@ -110,12 +122,10 @@ public class BasicAuthenticationFilter extends HttpFilter
    */
   @Override
   protected void doFilter(HttpServletRequest request,
-                          HttpServletResponse response, FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
-    WebSecurityContext securityContext = securityContextProvider.get();
-
-    AssertUtil.assertIsNotNull(securityContext);
+    Subject subject = SecurityUtils.getSubject();
 
     User user = null;
     String authentication = request.getHeader(HEADER_AUTHORIZATION);
@@ -127,7 +137,7 @@ public class BasicAuthenticationFilter extends HttpFilter
         logger.trace("found basic authorization header, start authentication");
       }
 
-      user = authenticate(request, response, securityContext, authentication);
+      user = authenticate(request, response, subject, authentication);
 
       if (logger.isTraceEnabled())
       {
@@ -141,14 +151,14 @@ public class BasicAuthenticationFilter extends HttpFilter
         }
       }
     }
-    else if (securityContext.isAuthenticated())
+    else if (subject.isAuthenticated())
     {
       if (logger.isTraceEnabled())
       {
         logger.trace("user is allready authenticated");
       }
 
-      user = securityContext.getUser();
+      user = subject.getPrincipals().oneByType(User.class);
     }
 
     if (user == null)
@@ -163,7 +173,7 @@ public class BasicAuthenticationFilter extends HttpFilter
     else
     {
       chain.doFilter(new SecurityHttpServletRequestWrapper(request, user),
-                     response);
+        response);
     }
   }
 
@@ -181,9 +191,8 @@ public class BasicAuthenticationFilter extends HttpFilter
    * @since 1.8
    */
   protected void handleUnauthorized(HttpServletRequest request,
-                                    HttpServletResponse response,
-                                    FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
     HttpUtil.sendUnauthorized(request, response);
   }
@@ -195,14 +204,13 @@ public class BasicAuthenticationFilter extends HttpFilter
    * @param request
    * @param response
    * @param securityContext
+   * @param subject
    * @param authentication
    *
    * @return
    */
   private User authenticate(HttpServletRequest request,
-                            HttpServletResponse response,
-                            WebSecurityContext securityContext,
-                            String authentication)
+    HttpServletResponse response, Subject subject, String authentication)
   {
     String token = authentication.substring(6);
 
@@ -223,8 +231,17 @@ public class BasicAuthenticationFilter extends HttpFilter
           logger.trace("try to authenticate user {}", username);
         }
 
-        user = securityContext.authenticate(request, response, username,
-                password);
+        try
+        {
+
+          subject.login(new ScmAuthenticationToken(request, response, username,
+            password));
+          user = subject.getPrincipals().oneByType(User.class);
+        }
+        catch (AuthenticationException ex)
+        {
+          logger.warn("authentication failed", ex);
+        }
       }
       else if (logger.isWarnEnabled())
       {