From 344ad696b26931de01354ad64764208ec3cec60f Mon Sep 17 00:00:00 2001 From: Eduard Heimbuch Date: Wed, 9 Oct 2019 16:41:55 +0200 Subject: [PATCH] do not add _anonymous to group _authenticated / use AnonymousToken for anonymous access in authenticationFilter --- .../sonia/scm/security/AnonymousRealm.java | 34 +++++++++++++++++++ .../sonia/scm/security/AnonymousToken.java | 16 +++++++++ .../scm/web/filter/AuthenticationFilter.java | 15 ++++---- .../scm/group/DefaultGroupCollector.java | 5 ++- 4 files changed, 60 insertions(+), 10 deletions(-) create mode 100644 scm-core/src/main/java/sonia/scm/security/AnonymousRealm.java create mode 100644 scm-core/src/main/java/sonia/scm/security/AnonymousToken.java diff --git a/scm-core/src/main/java/sonia/scm/security/AnonymousRealm.java b/scm-core/src/main/java/sonia/scm/security/AnonymousRealm.java new file mode 100644 index 0000000000..836c19181b --- /dev/null +++ b/scm-core/src/main/java/sonia/scm/security/AnonymousRealm.java @@ -0,0 +1,34 @@ +package sonia.scm.security; + +import com.google.common.annotations.VisibleForTesting; +import com.google.inject.Inject; +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.AuthenticationInfo; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.realm.AuthenticatingRealm; + +public class AnonymousRealm extends AuthenticatingRealm { + + /** + * realm name + */ + @VisibleForTesting + static final String REALM = "AnonymousRealm"; + + /** + * dao realm helper + */ + private final DAORealmHelper helper; + + @Inject + public AnonymousRealm(DAORealmHelperFactory helperFactory) { + this.helper = helperFactory.create(REALM); + + setAuthenticationTokenClass(AnonymousToken.class); + } + + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { + return helper.authenticationInfoBuilder("_anonymous").build(); + } +} diff --git a/scm-core/src/main/java/sonia/scm/security/AnonymousToken.java b/scm-core/src/main/java/sonia/scm/security/AnonymousToken.java new file mode 100644 index 0000000000..1712a04a75 --- /dev/null +++ b/scm-core/src/main/java/sonia/scm/security/AnonymousToken.java @@ -0,0 +1,16 @@ +package sonia.scm.security; + +import org.apache.shiro.authc.AuthenticationToken; + +public class AnonymousToken implements AuthenticationToken { + //Anonymous Token does not need an implementation + @Override + public Object getPrincipal() { + return null; + } + + @Override + public Object getCredentials() { + return null; + } +} diff --git a/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java b/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java index c6a8463998..87209ce409 100644 --- a/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java +++ b/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java @@ -37,31 +37,27 @@ package sonia.scm.web.filter; import com.google.inject.Inject; import com.google.inject.Singleton; - import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.subject.Subject; - import org.slf4j.Logger; import org.slf4j.LoggerFactory; - import sonia.scm.SCMContext; import sonia.scm.config.ScmConfiguration; +import sonia.scm.security.AnonymousToken; import sonia.scm.util.HttpUtil; import sonia.scm.util.Util; import sonia.scm.web.WebTokenGenerator; -//~--- JDK imports ------------------------------------------------------------ - -import java.io.IOException; - -import java.util.Set; - import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Set; + +//~--- JDK imports ------------------------------------------------------------ /** * Handles authentication, if a one of the {@link WebTokenGenerator} returns @@ -134,6 +130,7 @@ public class AuthenticationFilter extends HttpFilter else if (isAnonymousAccessEnabled()) { logger.trace("anonymous access granted"); + subject.login(new AnonymousToken()); processChain(request, response, chain, subject); } else diff --git a/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java b/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java index 8c6bac8103..072e975dbf 100644 --- a/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java +++ b/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java @@ -38,7 +38,10 @@ public class DefaultGroupCollector implements GroupCollector { public Set collect(String principal) { ImmutableSet.Builder builder = ImmutableSet.builder(); - builder.add(AUTHENTICATED); + if (principal != "_anonymous") { + builder.add(AUTHENTICATED); + } + builder.addAll(resolveExternalGroups(principal)); appendInternalGroups(principal, builder);