From ed9b10b86f5026d9e1f4b74357667743fafaf579 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= <rene.pfeuffer@cloudogu.com>
Date: Fri, 28 Sep 2018 14:40:26 +0200
Subject: [PATCH] Permit unathenticated index access

---
 .../main/java/sonia/scm/security/SecurityRequests.java | 10 ++++++++++
 .../scm/web/security/ApiAuthenticationFilter.java      |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/scm-webapp/src/main/java/sonia/scm/security/SecurityRequests.java b/scm-webapp/src/main/java/sonia/scm/security/SecurityRequests.java
index 81bb2092c9..7b467c237a 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/SecurityRequests.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/SecurityRequests.java
@@ -11,6 +11,7 @@ import static sonia.scm.api.v2.resources.ScmPathInfo.REST_API_PATH;
 public final class SecurityRequests {
 
   private static final Pattern URI_LOGIN_PATTERN = Pattern.compile(REST_API_PATH + "(?:/v2)?/auth/access_token");
+  private static final Pattern URI_INDEX_PATTERN = Pattern.compile(REST_API_PATH + "/v2/?");
 
   private SecurityRequests() {}
 
@@ -23,4 +24,13 @@ public final class SecurityRequests {
     return URI_LOGIN_PATTERN.matcher(uri).matches();
   }
 
+  public static boolean isIndexRequest(HttpServletRequest request) {
+    String uri = request.getRequestURI().substring(request.getContextPath().length());
+    return isAuthenticationRequest(uri);
+  }
+
+  public static boolean isIndexRequest(String uri) {
+    return URI_INDEX_PATTERN.matcher(uri).matches();
+  }
+
 }
diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
index d8fe469af9..26c8d65250 100644
--- a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
@@ -99,7 +99,7 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
     throws IOException, ServletException
   {
     // skip filter on login resource
-    if (SecurityRequests.isAuthenticationRequest(request))
+    if (SecurityRequests.isAuthenticationRequest(request) || SecurityRequests.isIndexRequest(request))
     {
       chain.doFilter(request, response);
     }