do not add _anonymous to group _authenticated / use AnonymousToken for anonymous access in authenticationFilter

scm-core/src/main/java/sonia/scm/security/AnonymousRealm.java

@@ -0,0 +1,34 @@
+package sonia.scm.security;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.inject.Inject;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.realm.AuthenticatingRealm;
+
+public class AnonymousRealm extends AuthenticatingRealm {
+
+  /**
+   * realm name
+   */
+  @VisibleForTesting
+  static final String REALM = "AnonymousRealm";
+
+  /**
+   * dao realm helper
+   */
+  private final DAORealmHelper helper;
+
+  @Inject
+  public AnonymousRealm(DAORealmHelperFactory helperFactory) {
+    this.helper = helperFactory.create(REALM);
+
+    setAuthenticationTokenClass(AnonymousToken.class);
+  }
+
+  @Override
+  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
+    return helper.authenticationInfoBuilder("_anonymous").build();
+  }
+}

scm-core/src/main/java/sonia/scm/security/AnonymousToken.java

@@ -0,0 +1,16 @@
+package sonia.scm.security;
+
+import org.apache.shiro.authc.AuthenticationToken;
+
+public class AnonymousToken implements AuthenticationToken {
+  //Anonymous Token does not need an implementation
+  @Override
+  public Object getPrincipal() {
+    return null;
+  }
+
+  @Override
+  public Object getCredentials() {
+    return null;
+  }
+}

scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java

@@ -37,31 +37,27 @@ package sonia.scm.web.filter;
 
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
-
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.subject.Subject;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousToken;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
 import sonia.scm.web.WebTokenGenerator;
 
-//~--- JDK imports ------------------------------------------------------------
-
-import java.io.IOException;
-
-import java.util.Set;
-
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Set;
+
+//~--- JDK imports ------------------------------------------------------------
 
 /**
  * Handles authentication, if a one of the {@link WebTokenGenerator} returns
@@ -134,6 +130,7 @@ public class AuthenticationFilter extends HttpFilter
     else if (isAnonymousAccessEnabled())
     {
       logger.trace("anonymous access granted");
+      subject.login(new AnonymousToken());
       processChain(request, response, chain, subject);
     }
     else

scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java

@@ -38,7 +38,10 @@ public class DefaultGroupCollector implements GroupCollector {
   public Set<String> collect(String principal) {
     ImmutableSet.Builder<String> builder = ImmutableSet.builder();
 
-    builder.add(AUTHENTICATED);
+    if (principal != "_anonymous") {
+      builder.add(AUTHENTICATED);
+    }
+
     builder.addAll(resolveExternalGroups(principal));
     appendInternalGroups(principal, builder);