Merge with develop branch

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ConfigDto.java

@@ -29,6 +29,7 @@ import de.otto.edison.hal.Links;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import sonia.scm.security.AnonymousMode;
 
 import java.util.Set;
 
@@ -46,6 +47,7 @@ public class ConfigDto extends HalRepresentation {
   private boolean disableGroupingGrid;
   private String dateFormat;
   private boolean anonymousAccessEnabled;
+  private AnonymousMode anonymousMode;
   private String baseUrl;
   private boolean forceBaseUrl;
   private int loginAttemptLimit;

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ConfigDtoToScmConfigurationMapper.java

@@ -21,11 +21,14 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
+import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
+import org.mapstruct.MappingTarget;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 // Mapstruct does not support parameterized (i.e. non-default) constructors. Thus, we need to use field injection.
 @SuppressWarnings("squid:S3306")
@@ -33,4 +36,15 @@ import sonia.scm.config.ScmConfiguration;
 public abstract class ConfigDtoToScmConfigurationMapper {
 
   public abstract ScmConfiguration map(ConfigDto dto);
+
+  @AfterMapping // Should map anonymous mode from old flag if not send explicit
+  void mapAnonymousMode(@MappingTarget ScmConfiguration config, ConfigDto configDto) {
+    if (configDto.getAnonymousMode() == null) {
+      if (configDto.isAnonymousAccessEnabled()) {
+        config.setAnonymousMode(AnonymousMode.PROTOCOL_ONLY);
+      } else {
+        config.setAnonymousMode(AnonymousMode.OFF);
+      }
+    }
+  }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupCollectionResource.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import io.swagger.v3.oas.annotations.Operation;
@@ -31,6 +31,7 @@ import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import sonia.scm.group.Group;
 import sonia.scm.group.GroupManager;
+import sonia.scm.group.GroupPermissions;
 import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
 import sonia.scm.web.VndMediaType;
@@ -106,6 +107,7 @@ public class GroupCollectionResource {
                          @QueryParam("desc") boolean desc,
                          @DefaultValue("") @QueryParam("q") String search
   ) {
+    GroupPermissions.list().check();
     return adapter.getAll(page, pageSize, createSearchPredicate(search), sortBy, desc,
       pageResult -> groupCollectionToDtoMapper.map(page, pageSize, pageResult));
   }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexDtoGenerator.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import com.google.common.base.Strings;
@@ -35,6 +35,7 @@ import sonia.scm.config.ConfigurationPermissions;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.group.GroupPermissions;
 import sonia.scm.plugin.PluginPermissions;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.security.Authentications;
 import sonia.scm.security.PermissionPermissions;
 import sonia.scm.user.UserPermissions;
@@ -70,7 +71,7 @@ public class IndexDtoGenerator extends HalAppenderMapper {
       builder.single(link("loginInfo", loginInfoUrl));
     }
 
-    if (SecurityUtils.getSubject().isAuthenticated()) {
+    if (shouldAppendSubjectRelatedLinks()) {
       builder.single(link("me", resourceLinks.me().self()));
 
       if (Authentications.isAuthenticatedSubjectAnonymous()) {
@@ -120,4 +121,19 @@ public class IndexDtoGenerator extends HalAppenderMapper {
 
     return new IndexDto(builder.build(), embeddedBuilder.build(), scmContextProvider.getVersion());
   }
+
+  private boolean shouldAppendSubjectRelatedLinks() {
+    return isAuthenticatedSubjectNotAnonymous()
+      || isAuthenticatedSubjectAllowedToBeAnonymous();
+  }
+
+  private boolean isAuthenticatedSubjectAllowedToBeAnonymous() {
+    return Authentications.isAuthenticatedSubjectAnonymous()
+      && configuration.getAnonymousMode() == AnonymousMode.FULL;
+  }
+
+  private boolean isAuthenticatedSubjectNotAnonymous() {
+    return SecurityUtils.getSubject().isAuthenticated()
+      && !Authentications.isAuthenticatedSubjectAnonymous();
+  }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeDtoFactory.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import de.otto.edison.hal.Embedded;
@@ -30,7 +30,6 @@ import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.Subject;
 import sonia.scm.group.GroupCollector;
-import sonia.scm.security.Authentications;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
 import sonia.scm.user.UserPermissions;
@@ -92,7 +91,7 @@ public class MeDtoFactory extends HalAppenderMapper {
     if (UserPermissions.changePublicKeys(user).isPermitted()) {
       linksBuilder.single(link("publicKeys", resourceLinks.user().publicKeys(user.getName())));
     }
-    if (userManager.isTypeDefault(user) && UserPermissions.changePassword(user).isPermitted() && !Authentications.isSubjectAnonymous(user.getName())) {
+    if (userManager.isTypeDefault(user) && UserPermissions.changePassword(user).isPermitted()) {
       linksBuilder.single(link("password", resourceLinks.me().passwordChange()));
     }
 
@@ -101,5 +100,4 @@ public class MeDtoFactory extends HalAppenderMapper {
 
     return new MeDto(linksBuilder.build(), embeddedBuilder.build());
   }
-
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ScmConfigurationToConfigDtoMapper.java

@@ -27,9 +27,12 @@ package sonia.scm.api.v2.resources;
 import de.otto.edison.hal.Links;
 import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
 import org.mapstruct.MappingTarget;
+import org.mapstruct.Named;
 import sonia.scm.config.ConfigurationPermissions;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 import javax.inject.Inject;
 
@@ -44,6 +47,15 @@ public abstract class ScmConfigurationToConfigDtoMapper extends BaseMapper<ScmCo
   @Inject
   private ResourceLinks resourceLinks;
 
+  @Mapping(target = "anonymousAccessEnabled", source = "anonymousMode", qualifiedByName = "mapAnonymousAccess")
+  @Mapping(target = "attributes", ignore = true)
+  public abstract ConfigDto map(ScmConfiguration scmConfiguration);
+
+  @Named("mapAnonymousAccess")
+  boolean mapAnonymousAccess(AnonymousMode anonymousMode) {
+    return anonymousMode != AnonymousMode.OFF;
+  }
+
   @AfterMapping
   void appendLinks(ScmConfiguration config, @MappingTarget ConfigDto target) {
     Links.Builder linksBuilder = linkingTo().self(resourceLinks.config().self());

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserCollectionResource.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import io.swagger.v3.oas.annotations.Operation;
@@ -34,6 +34,7 @@ import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
+import sonia.scm.user.UserPermissions;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -108,6 +109,7 @@ public class UserCollectionResource {
                          @DefaultValue("false") @QueryParam("desc") boolean desc,
                          @DefaultValue("") @QueryParam("q") String search
   ) {
+    UserPermissions.list().check();
     return adapter.getAll(page, pageSize, createSearchPredicate(search), sortBy, desc,
       pageResult -> userCollectionToDtoMapper.map(page, pageSize, pageResult));
   }

scm-webapp/src/main/java/sonia/scm/filter/PropagatePrincipleFilter.java

@@ -33,6 +33,7 @@ import org.apache.shiro.subject.Subject;
 import sonia.scm.Priority;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.web.filter.HttpFilter;
 import sonia.scm.web.filter.PropagatePrincipleServletRequestWrapper;
 
@@ -89,7 +90,7 @@ public class PropagatePrincipleFilter extends HttpFilter
   private boolean hasPermission(Subject subject)
   {
     return ((configuration != null)
-      && configuration.isAnonymousAccessEnabled()) || subject.isAuthenticated()
+      && configuration.getAnonymousMode() != AnonymousMode.OFF) || subject.isAuthenticated()
         || subject.isRemembered();
   }
 

scm-webapp/src/main/java/sonia/scm/lifecycle/SetupContextListener.java

@@ -31,6 +31,7 @@ import org.slf4j.LoggerFactory;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.plugin.Extension;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
 import sonia.scm.user.User;
@@ -94,7 +95,7 @@ public class SetupContextListener implements ServletContextListener {
     }
 
     private boolean anonymousUserRequiredButNotExists() {
-      return scmConfiguration.isAnonymousAccessEnabled() && !userManager.contains(SCMContext.USER_ANONYMOUS);
+      return scmConfiguration.getAnonymousMode() != AnonymousMode.OFF && !userManager.contains(SCMContext.USER_ANONYMOUS);
     }
 
     private boolean shouldCreateAdminAccount() {

scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java

@@ -92,6 +92,7 @@ public class BearerRealm extends AuthenticatingRealm
     checkArgument(token instanceof BearerToken, "%s is required", BearerToken.class);
 
     BearerToken bt = (BearerToken) token;
+
     AccessToken accessToken = tokenResolver.resolve(bt);
 
     return helper.authenticationInfoBuilder(accessToken.getSubject())

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenResolver.java

@@ -21,22 +21,24 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.security;
 
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
-import java.util.Set;
-import javax.inject.Inject;
 import org.apache.shiro.authc.AuthenticationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import sonia.scm.plugin.Extension;
 
+import javax.inject.Inject;
+import java.util.Set;
+
 /**
  * Jwt implementation of {@link AccessTokenResolver}.
- * 
+ *
  * @author Sebastian Sdorra
  * @since 2.0.0
  */
@@ -47,7 +49,7 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
    * the logger for JwtAccessTokenResolver
    */
   private static final Logger LOG = LoggerFactory.getLogger(JwtAccessTokenResolver.class);
-  
+
   private final SecureKeyResolver keyResolver;
   private final Set<AccessTokenValidator> validators;
 
@@ -56,7 +58,7 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
     this.keyResolver = keyResolver;
     this.validators = validators;
   }
-  
+
   @Override
   public JwtAccessToken resolve(BearerToken bearerToken) {
     try {
@@ -71,6 +73,8 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
       validate(token);
 
       return token;
+    } catch (ExpiredJwtException ex) {
+      throw new TokenExpiredException("The jwt token has been expired", ex);
     } catch (JwtException ex) {
       throw new AuthenticationException("signature is invalid", ex);
     }
@@ -92,5 +96,5 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
   private String createValidationFailedMessage(AccessTokenValidator validator, AccessToken accessToken) {
     return String.format("token %s is invalid, marked by validator %s", accessToken.getId(), validator.getClass());
   }
-  
+
 }

scm-webapp/src/main/java/sonia/scm/update/repository/AnonymousModeUpdateStep.java

@@ -0,0 +1,104 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.update.repository;
+
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import sonia.scm.SCMContextProvider;
+import sonia.scm.config.ScmConfiguration;
+import sonia.scm.migration.UpdateStep;
+import sonia.scm.plugin.Extension;
+import sonia.scm.security.AnonymousMode;
+import sonia.scm.store.ConfigurationStore;
+import sonia.scm.store.ConfigurationStoreFactory;
+import sonia.scm.store.StoreConstants;
+import sonia.scm.version.Version;
+
+import javax.inject.Inject;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import static sonia.scm.version.Version.parse;
+
+@Extension
+public class AnonymousModeUpdateStep implements UpdateStep {
+
+  private final SCMContextProvider contextProvider;
+  private final ConfigurationStore<ScmConfiguration> configStore;
+
+  @Inject
+  public AnonymousModeUpdateStep(SCMContextProvider contextProvider, ConfigurationStoreFactory configurationStoreFactory) {
+    this.contextProvider = contextProvider;
+    this.configStore = configurationStoreFactory.withType(ScmConfiguration.class).withName("config").build();
+  }
+
+  @Override
+  public void doUpdate() throws JAXBException {
+    Path configFile = determineConfigDirectory().resolve("config" + StoreConstants.FILE_EXTENSION);
+
+    if (configFile.toFile().exists()) {
+      PreUpdateScmConfiguration oldConfig = getPreUpdateScmConfigurationFromOldConfig(configFile);
+      ScmConfiguration config = configStore.get();
+      if (oldConfig.isAnonymousAccessEnabled()) {
+        config.setAnonymousMode(AnonymousMode.PROTOCOL_ONLY);
+      } else {
+        config.setAnonymousMode(AnonymousMode.OFF);
+      }
+      configStore.set(config);
+    }
+  }
+
+  @Override
+  public Version getTargetVersion() {
+    return parse("2.4.0");
+  }
+
+  @Override
+  public String getAffectedDataType() {
+    return "config.xml";
+  }
+
+  private PreUpdateScmConfiguration getPreUpdateScmConfigurationFromOldConfig(Path configFile) throws JAXBException {
+    JAXBContext jaxbContext = JAXBContext.newInstance(AnonymousModeUpdateStep.PreUpdateScmConfiguration.class);
+    return (AnonymousModeUpdateStep.PreUpdateScmConfiguration) jaxbContext.createUnmarshaller().unmarshal(configFile.toFile());
+  }
+
+  private Path determineConfigDirectory() {
+    return contextProvider.resolve(Paths.get(StoreConstants.CONFIG_DIRECTORY_NAME));
+  }
+
+  @XmlRootElement(name = "scm-config")
+  @XmlAccessorType(XmlAccessType.FIELD)
+  @NoArgsConstructor
+  @Getter
+  static class PreUpdateScmConfiguration {
+    private boolean anonymousAccessEnabled;
+  }
+}

scm-webapp/src/main/java/sonia/scm/user/AnonymousUserDeletionEventHandler.java

@@ -31,6 +31,7 @@ import sonia.scm.HandlerEventType;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.plugin.Extension;
+import sonia.scm.security.AnonymousMode;
 
 import javax.inject.Inject;
 
@@ -38,7 +39,7 @@ import javax.inject.Inject;
 @Extension
 public class AnonymousUserDeletionEventHandler {
 
-  private ScmConfiguration scmConfiguration;
+  private final ScmConfiguration scmConfiguration;
 
   @Inject
   public AnonymousUserDeletionEventHandler(ScmConfiguration scmConfiguration) {
@@ -55,6 +56,6 @@ public class AnonymousUserDeletionEventHandler {
   private boolean isAnonymousUserDeletionNotAllowed(UserEvent event) {
     return event.getEventType() == HandlerEventType.BEFORE_DELETE
       && event.getItem().getName().equals(SCMContext.USER_ANONYMOUS)
-      && scmConfiguration.isAnonymousAccessEnabled();
+      && scmConfiguration.getAnonymousMode() != AnonymousMode.OFF;
   }
 }

scm-webapp/src/test/java/sonia/scm/api/v2/resources/AuthenticationResourceTest.java

@@ -67,7 +67,7 @@ public class AuthenticationResourceTest {
   @Rule
   public ShiroRule shiro = new ShiroRule();
 
-  private RestDispatcher dispatcher = new RestDispatcher();
+  private final RestDispatcher dispatcher = new RestDispatcher();
 
   @Mock
   private AccessTokenBuilderFactory accessTokenBuilderFactory;
@@ -75,9 +75,9 @@ public class AuthenticationResourceTest {
   @Mock
   private AccessTokenBuilder accessTokenBuilder;
 
-  private AccessTokenCookieIssuer cookieIssuer = new DefaultAccessTokenCookieIssuer(mock(ScmConfiguration.class));
+  private final AccessTokenCookieIssuer cookieIssuer = new DefaultAccessTokenCookieIssuer(mock(ScmConfiguration.class));
 
-  private MockHttpResponse response = new MockHttpResponse();
+  private final MockHttpResponse response = new MockHttpResponse();
 
   private static final String AUTH_JSON_TRILLIAN = "{\n" +
     "\t\"cookie\": true,\n" +

scm-webapp/src/test/java/sonia/scm/api/v2/resources/ConfigDtoToScmConfigurationMapperTest.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import org.junit.Before;
@@ -29,6 +29,7 @@ import org.junit.Test;
 import org.mockito.InjectMocks;
 import org.mockito.internal.util.collections.Sets;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 import java.util.Arrays;
 
@@ -41,9 +42,9 @@ public class ConfigDtoToScmConfigurationMapperTest {
   @InjectMocks
   private ConfigDtoToScmConfigurationMapperImpl mapper;
 
-  private String[] expectedUsers = { "trillian", "arthur" };
-  private String[] expectedGroups = { "admin", "plebs" };
-  private String[] expectedExcludes = { "ex", "clude" };
+  private String[] expectedUsers = {"trillian", "arthur"};
+  private String[] expectedGroups = {"admin", "plebs"};
+  private String[] expectedExcludes = {"ex", "clude"};
 
   @Before
   public void init() {
@@ -55,27 +56,42 @@ public class ConfigDtoToScmConfigurationMapperTest {
     ConfigDto dto = createDefaultDto();
     ScmConfiguration config = mapper.map(dto);
 
-    assertEquals("prPw" , config.getProxyPassword());
-    assertEquals(42 , config.getProxyPort());
-    assertEquals("srvr" , config.getProxyServer());
-    assertEquals("user" , config.getProxyUser());
+    assertEquals("prPw", config.getProxyPassword());
+    assertEquals(42, config.getProxyPort());
+    assertEquals("srvr", config.getProxyServer());
+    assertEquals("user", config.getProxyUser());
     assertTrue(config.isEnableProxy());
-    assertEquals("realm" , config.getRealmDescription());
+    assertEquals("realm", config.getRealmDescription());
     assertTrue(config.isDisableGroupingGrid());
-    assertEquals("yyyy" , config.getDateFormat());
-    assertTrue(config.isAnonymousAccessEnabled());
-    assertEquals("baseurl" , config.getBaseUrl());
+    assertEquals("yyyy", config.getDateFormat());
+    assertEquals(AnonymousMode.PROTOCOL_ONLY, config.getAnonymousMode());
+    assertEquals("baseurl", config.getBaseUrl());
     assertTrue(config.isForceBaseUrl());
-    assertEquals(41 , config.getLoginAttemptLimit());
+    assertEquals(41, config.getLoginAttemptLimit());
     assertTrue("proxyExcludes", config.getProxyExcludes().containsAll(Arrays.asList(expectedExcludes)));
     assertTrue(config.isSkipFailedAuthenticators());
-    assertEquals("https://plug.ins" , config.getPluginUrl());
-    assertEquals(40 , config.getLoginAttemptLimitTimeout());
+    assertEquals("https://plug.ins", config.getPluginUrl());
+    assertEquals(40, config.getLoginAttemptLimitTimeout());
     assertTrue(config.isEnabledXsrfProtection());
     assertEquals("username", config.getNamespaceStrategy());
     assertEquals("https://scm-manager.org/login-info", config.getLoginInfoUrl());
   }
 
+  @Test
+  public void shouldMapAnonymousAccessFieldToAnonymousMode() {
+    ConfigDto dto = createDefaultDto();
+
+    ScmConfiguration config = mapper.map(dto);
+
+    assertEquals(AnonymousMode.PROTOCOL_ONLY, config.getAnonymousMode());
+
+    dto.setAnonymousMode(null);
+    dto.setAnonymousAccessEnabled(false);
+    ScmConfiguration config2 = mapper.map(dto);
+
+    assertEquals(AnonymousMode.OFF, config2.getAnonymousMode());
+  }
+
   private ConfigDto createDefaultDto() {
     ConfigDto configDto = new ConfigDto();
     configDto.setProxyPassword("prPw");
@@ -86,7 +102,7 @@ public class ConfigDtoToScmConfigurationMapperTest {
     configDto.setRealmDescription("realm");
     configDto.setDisableGroupingGrid(true);
     configDto.setDateFormat("yyyy");
-    configDto.setAnonymousAccessEnabled(true);
+    configDto.setAnonymousMode(AnonymousMode.PROTOCOL_ONLY);
     configDto.setBaseUrl("baseurl");
     configDto.setForceBaseUrl(true);
     configDto.setLoginAttemptLimit(41);

scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexDtoGeneratorTest.java

@@ -0,0 +1,137 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.util.ThreadContext;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.BasicContextProvider;
+import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
+
+import java.net.URI;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+import static sonia.scm.SCMContext.USER_ANONYMOUS;
+
+@ExtendWith(MockitoExtension.class)
+class IndexDtoGeneratorTest {
+
+  private static final ScmPathInfo scmPathInfo = () -> URI.create("/api/v2");
+
+  @Mock
+  private ScmConfiguration configuration;
+  @Mock
+  private BasicContextProvider contextProvider;
+  @Mock
+  private ResourceLinks resourceLinks;
+
+  @Mock
+  private Subject subject;
+
+  @InjectMocks
+  private IndexDtoGenerator generator;
+
+  @BeforeEach
+  void bindSubject() {
+    ThreadContext.bind(subject);
+  }
+
+  @AfterEach
+  void tearDownSubject() {
+    ThreadContext.unbindSubject();
+  }
+
+  @Test
+  void shouldAppendMeIfAuthenticated() {
+    mockSubjectRelatedResourceLinks();
+    when(subject.isAuthenticated()).thenReturn(true);
+
+    when(contextProvider.getVersion()).thenReturn("2.x");
+
+    IndexDto dto = generator.generate();
+
+    assertThat(dto.getLinks().getLinkBy("me")).isPresent();
+  }
+
+  @Test
+  void shouldNotAppendMeIfUserIsAuthenticatedButAnonymous() {
+    mockResourceLinks();
+    when(subject.getPrincipal()).thenReturn(USER_ANONYMOUS);
+    when(subject.isAuthenticated()).thenReturn(true);
+
+    IndexDto dto = generator.generate();
+
+    assertThat(dto.getLinks().getLinkBy("me")).isNotPresent();
+  }
+
+  @Test
+  void shouldAppendMeIfUserIsAnonymousAndAnonymousModeIsFullEnabled() {
+    mockSubjectRelatedResourceLinks();
+    when(subject.getPrincipal()).thenReturn(USER_ANONYMOUS);
+    when(subject.isAuthenticated()).thenReturn(true);
+    when(configuration.getAnonymousMode()).thenReturn(AnonymousMode.FULL);
+
+    IndexDto dto = generator.generate();
+
+    assertThat(dto.getLinks().getLinkBy("me")).isPresent();
+  }
+
+  @Test
+  void shouldNotAppendMeIfUserIsAnonymousAndAnonymousModeIsProtocolOnly() {
+    mockResourceLinks();
+    when(subject.getPrincipal()).thenReturn(USER_ANONYMOUS);
+    when(subject.isAuthenticated()).thenReturn(true);
+    when(configuration.getAnonymousMode()).thenReturn(AnonymousMode.PROTOCOL_ONLY);
+
+    IndexDto dto = generator.generate();
+
+    assertThat(dto.getLinks().getLinkBy("me")).isNotPresent();
+  }
+
+
+  private void mockResourceLinks() {
+    when(resourceLinks.index()).thenReturn(new ResourceLinks.IndexLinks(scmPathInfo));
+    when(resourceLinks.uiPluginCollection()).thenReturn(new ResourceLinks.UIPluginCollectionLinks(scmPathInfo));
+    when(resourceLinks.authentication()).thenReturn(new ResourceLinks.AuthenticationLinks(scmPathInfo));
+  }
+
+  private void mockSubjectRelatedResourceLinks() {
+    mockResourceLinks();
+    when(resourceLinks.repositoryCollection()).thenReturn(new ResourceLinks.RepositoryCollectionLinks(scmPathInfo));
+    when(resourceLinks.repositoryVerbs()).thenReturn(new ResourceLinks.RepositoryVerbLinks(scmPathInfo));
+    when(resourceLinks.repositoryTypeCollection()).thenReturn(new ResourceLinks.RepositoryTypeCollectionLinks(scmPathInfo));
+    when(resourceLinks.repositoryRoleCollection()).thenReturn(new ResourceLinks.RepositoryRoleCollectionLinks(scmPathInfo));
+    when(resourceLinks.namespaceStrategies()).thenReturn(new ResourceLinks.NamespaceStrategiesLinks(scmPathInfo));
+    when(resourceLinks.me()).thenReturn(new ResourceLinks.MeLinks(scmPathInfo, new ResourceLinks.UserLinks(scmPathInfo)));
+  }
+}

scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeDtoFactoryTest.java

@@ -187,15 +187,15 @@ class MeDtoFactoryTest {
   }
 
   @Test
-  void shouldNotGetPasswordLinkForAnonymousUser() {
+  void shouldAppendOnlySelfLinkIfAnonymousUser() {
     User user = SCMContext.ANONYMOUS;
     prepareSubject(user);
 
-    when(userManager.isTypeDefault(any())).thenReturn(true);
-    when(UserPermissions.changePassword(user).isPermitted()).thenReturn(true);
-
     MeDto dto = meDtoFactory.create();
+    assertThat(dto.getLinks().getLinkBy("self")).isPresent();
     assertThat(dto.getLinks().getLinkBy("password")).isNotPresent();
+    assertThat(dto.getLinks().getLinkBy("delete")).isNotPresent();
+    assertThat(dto.getLinks().getLinkBy("update")).isNotPresent();
   }
 
   @Test
@@ -235,6 +235,4 @@ class MeDtoFactoryTest {
     MeDto dto = meDtoFactory.create();
     assertThat(dto.getLinks().getLinkBy("profile").get().getHref()).isEqualTo("http://hitchhiker.com/users/trillian");
   }
-
-
 }

scm-webapp/src/test/java/sonia/scm/api/v2/resources/ScmConfigurationToConfigDtoMapperTest.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import org.apache.shiro.subject.Subject;
@@ -34,12 +34,14 @@ import org.junit.Test;
 import org.mockito.InjectMocks;
 import org.mockito.internal.util.collections.Sets;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 import java.net.URI;
 import java.util.Arrays;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -47,11 +49,11 @@ import static org.mockito.MockitoAnnotations.initMocks;
 
 public class ScmConfigurationToConfigDtoMapperTest {
 
-  private URI baseUri =  URI.create("http://example.com/base/");
+  private URI baseUri = URI.create("http://example.com/base/");
 
-  private String[] expectedUsers = { "trillian", "arthur" };
-  private String[] expectedGroups = { "admin", "plebs" };
-  private String[] expectedExcludes = { "ex", "clude" };
+  private String[] expectedUsers = {"trillian", "arthur"};
+  private String[] expectedGroups = {"admin", "plebs"};
+  private String[] expectedExcludes = {"ex", "clude"};
 
   @SuppressWarnings("unused") // Is injected
   private ResourceLinks resourceLinks = ResourceLinksMock.createMock(baseUri);
@@ -85,22 +87,22 @@ public class ScmConfigurationToConfigDtoMapperTest {
     when(subject.isPermitted("configuration:write:global")).thenReturn(true);
     ConfigDto dto = mapper.map(config);
 
-    assertEquals("heartOfGold" , dto.getProxyPassword());
-    assertEquals(1234 , dto.getProxyPort());
-    assertEquals("proxyserver" , dto.getProxyServer());
-    assertEquals("trillian" , dto.getProxyUser());
+    assertEquals("heartOfGold", dto.getProxyPassword());
+    assertEquals(1234, dto.getProxyPort());
+    assertEquals("proxyserver", dto.getProxyServer());
+    assertEquals("trillian", dto.getProxyUser());
     assertTrue(dto.isEnableProxy());
-    assertEquals("description" , dto.getRealmDescription());
+    assertEquals("description", dto.getRealmDescription());
     assertTrue(dto.isDisableGroupingGrid());
-    assertEquals("dd" , dto.getDateFormat());
-    assertTrue(dto.isAnonymousAccessEnabled());
-    assertEquals("baseurl" , dto.getBaseUrl());
+    assertEquals("dd", dto.getDateFormat());
+    assertSame(AnonymousMode.FULL, dto.getAnonymousMode());
+    assertEquals("baseurl", dto.getBaseUrl());
     assertTrue(dto.isForceBaseUrl());
-    assertEquals(1 , dto.getLoginAttemptLimit());
+    assertEquals(1, dto.getLoginAttemptLimit());
     assertTrue("proxyExcludes", dto.getProxyExcludes().containsAll(Arrays.asList(expectedExcludes)));
     assertTrue(dto.isSkipFailedAuthenticators());
-    assertEquals("pluginurl" , dto.getPluginUrl());
-    assertEquals(2 , dto.getLoginAttemptLimitTimeout());
+    assertEquals("pluginurl", dto.getPluginUrl());
+    assertEquals(2, dto.getLoginAttemptLimitTimeout());
     assertTrue(dto.isEnabledXsrfProtection());
     assertEquals("username", dto.getNamespaceStrategy());
     assertEquals("https://scm-manager.org/login-info", dto.getLoginInfoUrl());
@@ -121,6 +123,21 @@ public class ScmConfigurationToConfigDtoMapperTest {
     assertFalse(dto.getLinks().hasLink("update"));
   }
 
+  @Test
+  public void shouldMapAnonymousAccessField() {
+    ScmConfiguration config = createConfiguration();
+
+    when(subject.hasRole("configuration:write:global")).thenReturn(false);
+    ConfigDto dto = mapper.map(config);
+
+    assertTrue(dto.isAnonymousAccessEnabled());
+
+    config.setAnonymousMode(AnonymousMode.OFF);
+    ConfigDto secondDto = mapper.map(config);
+
+    assertFalse(secondDto.isAnonymousAccessEnabled());
+  }
+
   private ScmConfiguration createConfiguration() {
     ScmConfiguration config = new ScmConfiguration();
     config.setProxyPassword("heartOfGold");
@@ -131,7 +148,7 @@ public class ScmConfigurationToConfigDtoMapperTest {
     config.setRealmDescription("description");
     config.setDisableGroupingGrid(true);
     config.setDateFormat("dd");
-    config.setAnonymousAccessEnabled(true);
+    config.setAnonymousMode(AnonymousMode.FULL);
     config.setBaseUrl("baseurl");
     config.setForceBaseUrl(true);
     config.setLoginAttemptLimit(1);

scm-webapp/src/test/java/sonia/scm/filter/PropagatePrincipleFilterTest.java

@@ -38,6 +38,7 @@ import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.user.User;
 import sonia.scm.user.UserTestData;
 
@@ -110,7 +111,7 @@ public class PropagatePrincipleFilterTest {
    */
   @Test
   public void testAnonymousWithAccessEnabled() throws IOException, ServletException {
-    configuration.setAnonymousAccessEnabled(true);
+    configuration.setAnonymousMode(AnonymousMode.FULL);
     
     // execute
     propagatePrincipleFilter.doFilter(request, response, chain);

scm-webapp/src/test/java/sonia/scm/lifecycle/SetupContextListenerTest.java

@@ -37,6 +37,7 @@ import org.mockito.junit.jupiter.MockitoSettings;
 import org.mockito.quality.Strictness;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
 import sonia.scm.user.User;
@@ -82,7 +83,7 @@ class SetupContextListenerTest {
 
   @BeforeEach
   void mockScmConfiguration() {
-    when(scmConfiguration.isAnonymousAccessEnabled()).thenReturn(false);
+    when(scmConfiguration.getAnonymousMode()).thenReturn(AnonymousMode.OFF);
   }
 
   @BeforeEach
@@ -145,7 +146,7 @@ class SetupContextListenerTest {
   void shouldCreateAnonymousUserIfRequired() {
     List<User> users = Lists.newArrayList(UserTestData.createTrillian());
     when(userManager.getAll()).thenReturn(users);
-    when(scmConfiguration.isAnonymousAccessEnabled()).thenReturn(true);
+    when(scmConfiguration.getAnonymousMode()).thenReturn(AnonymousMode.FULL);
 
     setupContextListener.contextInitialized(null);
 
@@ -166,7 +167,7 @@ class SetupContextListenerTest {
   void shouldNotCreateAnonymousUserIfAlreadyExists() {
     List<User> users = Lists.newArrayList(SCMContext.ANONYMOUS);
     when(userManager.getAll()).thenReturn(users);
-    when(scmConfiguration.isAnonymousAccessEnabled()).thenReturn(true);
+    when(scmConfiguration.getAnonymousMode()).thenReturn(AnonymousMode.FULL);
 
     setupContextListener.contextInitialized(null);
 

scm-webapp/src/test/java/sonia/scm/security/BearerRealmTest.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.security;
 
 import org.apache.shiro.authc.AuthenticationInfo;

scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenResolverTest.java

@@ -130,7 +130,7 @@ public class JwtAccessTokenResolverTest {
     String compact = createCompactToken("trillian", secureKey, exp, Scope.empty());
     
     // expect exception
-    expectedException.expect(AuthenticationException.class);
+    expectedException.expect(TokenExpiredException.class);
     expectedException.expectCause(instanceOf(ExpiredJwtException.class));
     
     BearerToken bearer = BearerToken.valueOf(compact);

scm-webapp/src/test/java/sonia/scm/update/repository/AnonymousModeUpdateStepTest.java

@@ -0,0 +1,104 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.update.repository;
+
+import com.google.common.io.Resources;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.io.TempDir;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.SCMContextProvider;
+import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
+import sonia.scm.store.ConfigurationStore;
+import sonia.scm.store.InMemoryConfigurationStoreFactory;
+
+import javax.xml.bind.JAXBException;
+import java.io.IOException;
+import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+import static sonia.scm.store.InMemoryConfigurationStoreFactory.create;
+
+@ExtendWith(MockitoExtension.class)
+class AnonymousModeUpdateStepTest {
+
+  @Mock
+  private SCMContextProvider contextProvider;
+
+  private AnonymousModeUpdateStep updateStep;
+  private ConfigurationStore<ScmConfiguration> configurationStore;
+
+  private Path configDir;
+
+  @BeforeEach
+  void initUpdateStep(@TempDir Path tempDir) throws IOException {
+    when(contextProvider.resolve(any(Path.class))).thenReturn(tempDir.toAbsolutePath());
+    configDir = tempDir;
+    Files.createDirectories(configDir);
+    InMemoryConfigurationStoreFactory inMemoryConfigurationStoreFactory = create();
+    configurationStore = inMemoryConfigurationStoreFactory.get("config", null);
+    updateStep = new AnonymousModeUpdateStep(contextProvider, inMemoryConfigurationStoreFactory);
+  }
+
+  @Test
+  void shouldNotUpdateIfConfigFileNotAvailable() throws JAXBException {
+    updateStep.doUpdate();
+
+    assertThat(configurationStore.getOptional()).isNotPresent();
+  }
+
+  @Test
+  void shouldUpdateDisabledAnonymousMode() throws JAXBException, IOException {
+    copyTestDatabaseFile(configDir, "config.xml", "config.xml");
+    configurationStore.set(new ScmConfiguration());
+
+    updateStep.doUpdate();
+
+    assertThat((configurationStore.get()).getAnonymousMode()).isEqualTo(AnonymousMode.OFF);
+  }
+
+  @Test
+  void shouldUpdateEnabledAnonymousMode() throws JAXBException, IOException {
+    copyTestDatabaseFile(configDir, "config-withAnon.xml", "config.xml");
+    configurationStore.set(new ScmConfiguration());
+
+    updateStep.doUpdate();
+
+    assertThat((configurationStore.get()).getAnonymousMode()).isEqualTo(AnonymousMode.PROTOCOL_ONLY);
+  }
+
+  private void copyTestDatabaseFile(Path configDir, String sourceFileName, String targetFileName) throws IOException {
+    URL url = Resources.getResource("sonia/scm/update/security/" + sourceFileName);
+    Files.copy(url.openStream(), configDir.resolve(targetFileName));
+  }
+}

scm-webapp/src/test/java/sonia/scm/user/AnonymousUserDeletionEventHandlerTest.java

@@ -29,6 +29,7 @@ import org.junit.jupiter.api.Test;
 import sonia.scm.HandlerEventType;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
@@ -45,7 +46,7 @@ class AnonymousUserDeletionEventHandlerTest {
 
   @Test
   void shouldThrowAnonymousUserDeletionExceptionIfAnonymousAccessIsEnabled() {
-    scmConfiguration.setAnonymousAccessEnabled(true);
+    scmConfiguration.setAnonymousMode(AnonymousMode.FULL);
 
     hook = new AnonymousUserDeletionEventHandler(scmConfiguration);
     UserEvent deletionEvent = new UserEvent(HandlerEventType.BEFORE_DELETE, SCMContext.ANONYMOUS);
@@ -55,7 +56,7 @@ class AnonymousUserDeletionEventHandlerTest {
 
   @Test
   void shouldNotThrowAnonymousUserDeletionException() {
-    scmConfiguration.setAnonymousAccessEnabled(false);
+    scmConfiguration.setAnonymousMode(AnonymousMode.OFF);
 
     hook = new AnonymousUserDeletionEventHandler(scmConfiguration);
     UserEvent deletionEvent = new UserEvent(HandlerEventType.BEFORE_DELETE,  SCMContext.ANONYMOUS);

scm-webapp/src/test/resources/sonia/scm/update/security/config-withAnon.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+
+    MIT License
+
+    Copyright (c) 2020-present Cloudogu GmbH and Contributors
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE.
+
+-->
+<scm-config>
+  <admin-groups>admins,vogons</admin-groups>
+  <admin-users>arthur,dent,ldap-admin</admin-users>
+  <base-url>http://localhost:8081/scm</base-url>
+  <enableProxy>false</enableProxy>
+  <force-base-url>false</force-base-url>
+  <forwardPort>80</forwardPort>
+  <plugin-url>http://plugins.scm-manager.org/scm-plugin-backend/api/{version}/plugins?os={os}&amp;arch={arch}&amp;snapshot=false</plugin-url>
+  <proxyPort>8080</proxyPort>
+  <proxyServer>proxy.mydomain.com</proxyServer>
+  <servername>localhost</servername>
+  <enableSSL>false</enableSSL>
+  <enablePortForward>false</enablePortForward>
+  <sslPort>8181</sslPort>
+  <disableGroupingGrid>false</disableGroupingGrid>
+  <dateFormat>Y-m-d H:i:s</dateFormat>
+  <anonymousAccessEnabled>true</anonymousAccessEnabled>
+</scm-config>