initial implementation

scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java

@@ -28,8 +28,11 @@ package sonia.scm.lifecycle.modules;
 
 import com.google.inject.name.Names;
 
+import org.apache.shiro.authc.Authenticator;
 import org.apache.shiro.authc.credential.DefaultPasswordService;
 import org.apache.shiro.authc.credential.PasswordService;
+import org.apache.shiro.authc.pam.AuthenticationStrategy;
+import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
 import org.apache.shiro.crypto.hash.DefaultHashService;
 import org.apache.shiro.guice.web.ShiroWebModule;
 import org.apache.shiro.realm.Realm;
@@ -44,6 +47,7 @@ import sonia.scm.plugin.ExtensionProcessor;
 import javax.servlet.ServletContext;
 import org.apache.shiro.mgt.RememberMeManager;
 import sonia.scm.security.DisabledRememberMeManager;
+import sonia.scm.security.ScmAtLeastOneSuccessfulStrategy;
 
 /**
  *
@@ -94,6 +98,11 @@ public class ScmSecurityModule extends ShiroWebModule
     // disable remember me cookie generation
     bind(RememberMeManager.class).to(DisabledRememberMeManager.class);
 
+    // bind authentication strategy
+    bind(ModularRealmAuthenticator.class);
+    bind(Authenticator.class).to(ModularRealmAuthenticator.class);
+    bind(AuthenticationStrategy.class).to(ScmAtLeastOneSuccessfulStrategy.class);
+
     // bind realm
     for (Class<? extends Realm> realm : extensionProcessor.byExtensionPoint(Realm.class))
     {