Commits

Sebastian Sdorra committed 11b143d

mark security context as deprecated and use shiro apis instead

Comments (0)

Files changed (24)

scm-clients/scm-client-impl/src/test/java/sonia/scm/client/it/ClientTestUtil.java

 import sonia.scm.client.ClientUtil;
 import sonia.scm.client.JerseyClientProvider;
 import sonia.scm.client.JerseyClientSession;
-import sonia.scm.client.ScmUrlProvider;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.url.UrlProvider;
 
    *
    */
   public static JerseyClientSession createSession(String username,
-          String password)
+    String password)
   {
     JerseyClientProvider provider = new JerseyClientProvider(REQUEST_LOGGING);
 

scm-core/src/main/java/sonia/scm/security/SecurityContext.java

 /**
  *
  * @author Sebastian Sdorra
+ * @deprecated use {@link SecurityUtils#getSecurityManager()} instead.
  */
+@Deprecated
 public interface SecurityContext
 {
 

scm-core/src/main/java/sonia/scm/util/SecurityUtil.java

 
 import com.google.inject.Provider;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import sonia.scm.SCMContext;
+import sonia.scm.security.Role;
 import sonia.scm.security.ScmSecurityException;
 import sonia.scm.security.SecurityContext;
 import sonia.scm.user.User;
    *
    *
    * @param contextProvider
+   * @deprecated use {@link Subject#checkRole(java.lang.String)} with {
+   * @link Role#ADMIN} instead.
    */
+  @Deprecated
   public static void assertIsAdmin(
-          Provider<? extends SecurityContext> contextProvider)
+    Provider<? extends SecurityContext> contextProvider)
   {
-    assertIsAdmin(contextProvider.get());
+    assertIsAdmin();
   }
 
   /**
-   * Method description
+   * This method is only present for compatibility reasons.
+   * Use {@link Subject#checkRole(java.lang.String)} with {
+   * @link Role#ADMIN} instead.
    *
-   *
-   * @param context
+   * @since 1.21
    */
-  public static void assertIsAdmin(SecurityContext context)
+  public static void assertIsAdmin()
   {
-    AssertUtil.assertIsNotNull(context);
+    Subject subject = SecurityUtils.getSubject();
 
-    User user = context.getUser();
-
-    if (user == null)
+    if (!subject.isAuthenticated())
     {
       throw new ScmSecurityException("user is not authenticated");
     }
-
-    if (!user.isAdmin())
+    else if (!subject.hasRole(Role.ADMIN))
     {
       throw new ScmSecurityException("admin account is required");
     }
    * Method description
    *
    *
+   * @param context
+   * @deprecated use {@link Subject#checkRole(java.lang.String)} with {
+   * @link Role#ADMIN} instead.
+   */
+  @Deprecated
+  public static void assertIsAdmin(SecurityContext context)
+  {
+    assertIsAdmin();
+  }
+
+  /**
+   * Method description
+   *
+   *
    * @param contextProvider
    */
   public static void assertIsNotAnonymous(
-          Provider<? extends SecurityContext> contextProvider)
+    Provider<? extends SecurityContext> contextProvider)
   {
     if (isAnonymous(contextProvider))
     {
    * @return
    */
   public static User getCurrentUser(
-          Provider<? extends SecurityContext> contextProvider)
+    Provider<? extends SecurityContext> contextProvider)
   {
     AssertUtil.assertIsNotNull(contextProvider);
 
    * @return
    */
   public static boolean isAdmin(
-          Provider<? extends SecurityContext> contextProvider)
+    Provider<? extends SecurityContext> contextProvider)
   {
     return isAdmin(contextProvider.get());
   }
     AssertUtil.assertIsNotNull(contextProvider);
 
     return (contextProvider.getUser() != null)
-           && contextProvider.getUser().isAdmin();
+      && contextProvider.getUser().isAdmin();
   }
 
   /**
    * @return
    */
   public static boolean isAnonymous(
-          Provider<? extends SecurityContext> contextProvider)
+    Provider<? extends SecurityContext> contextProvider)
   {
     return isAnonymous(contextProvider.get());
   }

scm-core/src/main/java/sonia/scm/web/security/WebSecurityContext.java

 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import org.apache.shiro.SecurityUtils;
 
 /**
  *
  * @author Sebastian Sdorra
+ * @deprecated use {@link SecurityUtils#getSecurityManager()} instead.
  */
+@Deprecated
 public interface WebSecurityContext extends SecurityContext
 {
 

scm-test/src/main/java/sonia/scm/user/UserManagerTestBase.java

 
 //~--- non-JDK imports --------------------------------------------------------
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import org.junit.Test;
 
 import sonia.scm.Manager;
  * @author Sebastian Sdorra
  */
 public abstract class UserManagerTestBase
-        extends ManagerTestBase<User, UserException>
+  extends ManagerTestBase<User, UserException>
 {
 
   /** Field description */
    */
   @Test
   public void testMultiThreaded()
-          throws UserException, IOException, InterruptedException
+    throws UserException, IOException, InterruptedException
   {
     int initialSize = manager.getAll().size();
     List<MultiThreadTester> testers = new ArrayList<MultiThreadTester>();
       testers.add(new MultiThreadTester(manager));
     }
 
+    Subject subject = SecurityUtils.getSubject();
+
     for (MultiThreadTester tester : testers)
     {
+      subject.associateWith(tester);
       new Thread(tester).start();
     }
 
     {
       String id = UUID.randomUUID().toString();
       User user = new User(id, id.concat(" displayName"),
-                           id.concat("@mail.com"));
+                    id.concat("@mail.com"));
 
       manager.create(user);
 
      * @throws UserException
      */
     private void modifyAndDeleteUser(User user)
-            throws UserException, IOException
+      throws UserException, IOException
     {
       String name = user.getName();
       String nd = name.concat(" new displayname");

scm-test/src/main/java/sonia/scm/util/MockUtil.java

 import com.google.inject.Provider;
 
 import org.apache.shiro.authz.Permission;
+import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.Subject;
 
 import org.mockito.invocation.InvocationOnMock;
 public class MockUtil
 {
 
+  /** Field description */
+  private static final User ADMIN = new User("scmadmin", "SCM Admin",
+                                      "scmadmin@scm.org");
+
+  //~--- methods --------------------------------------------------------------
+
   /**
    * Method description
    *
     when(subject.isPermittedAll()).thenReturn(Boolean.TRUE);
     when(subject.hasRole("admin")).thenReturn(Boolean.TRUE);
 
+    PrincipalCollection collection = mock(PrincipalCollection.class);
+
+    when(collection.getPrimaryPrincipal()).thenReturn(ADMIN.getId());
+    when(collection.oneByType(User.class)).thenReturn(ADMIN);
+
+    when(subject.getPrincipal()).thenReturn(ADMIN.getId());
+    when(subject.getPrincipals()).thenReturn(collection);
+
     return subject;
   }
 

scm-webapp/src/main/java/sonia/scm/api/rest/resources/ChangePasswordResource.java

 //~--- non-JDK imports --------------------------------------------------------
 
 import com.google.inject.Inject;
-import com.google.inject.Provider;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
 
 import org.codehaus.enunciate.jaxrs.TypeHint;
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 
 import sonia.scm.api.rest.RestActionResult;
 import sonia.scm.security.EncryptionHandler;
+import sonia.scm.security.ScmSecurityException;
 import sonia.scm.user.User;
 import sonia.scm.user.UserException;
 import sonia.scm.user.UserManager;
 import sonia.scm.util.AssertUtil;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param securityContextProvider
    */
   @Inject
-  public ChangePasswordResource(
-          UserManager userManager, EncryptionHandler encryptionHandler,
-          Provider<WebSecurityContext> securityContextProvider)
+  public ChangePasswordResource(UserManager userManager,
+    EncryptionHandler encryptionHandler)
   {
     this.userManager = userManager;
     this.encryptionHandler = encryptionHandler;
-    this.securityContextProvider = securityContextProvider;
   }
 
   //~--- methods --------------------------------------------------------------
   @TypeHint(RestActionResult.class)
   @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
   public Response changePassword(@FormParam("old-password") String oldPassword,
-                                 @FormParam("new-password") String newPassword)
-          throws UserException, IOException
+    @FormParam("new-password") String newPassword)
+    throws UserException, IOException
   {
     AssertUtil.assertIsNotEmpty(oldPassword);
     AssertUtil.assertIsNotEmpty(newPassword);
     }
 
     Response response = null;
-    WebSecurityContext securityContext = securityContextProvider.get();
-    User currentUser = securityContext.getUser();
+    Subject subject = SecurityUtils.getSubject();
+
+    if (!subject.isAuthenticated())
+    {
+      throw new ScmSecurityException("user is not authenticated");
+    }
+
+    User currentUser = subject.getPrincipals().oneByType(User.class);
 
     if (logger.isInfoEnabled())
     {
   private EncryptionHandler encryptionHandler;
 
   /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
-
-  /** Field description */
   private UserManager userManager;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/ConfigurationResource.java

 //~--- non-JDK imports --------------------------------------------------------
 
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.Role;
+import sonia.scm.security.ScmSecurityException;
 import sonia.scm.util.ScmConfigurationUtil;
-import sonia.scm.util.SecurityUtil;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param securityContextProvider
    */
   @Inject
-  public ConfigurationResource(
-          Provider<WebSecurityContext> securityContextProvider,
-          ScmConfiguration configuration)
+  public ConfigurationResource(ScmConfiguration configuration)
   {
-    this.securityContextProvider = securityContextProvider;
     this.configuration = configuration;
   }
 
   {
     Response response = null;
 
-    if (SecurityUtil.isAdmin(securityContextProvider))
+    if (SecurityUtils.getSubject().hasRole(Role.ADMIN))
     {
       response = Response.ok(configuration).build();
     }
   @POST
   @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
   public Response setConfig(@Context UriInfo uriInfo,
-                            ScmConfiguration newConfig)
+    ScmConfiguration newConfig)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+
+    // TODO replace by checkRole
+    Subject subject = SecurityUtils.getSubject();
+
+    if (!subject.hasRole(Role.ADMIN))
+    {
+      throw new ScmSecurityException("admin privileges required");
+    }
+
     configuration.load(newConfig);
 
     synchronized (ScmConfiguration.class)
 
   /** Field description */
   public ScmConfiguration configuration;
-
-  /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java

 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+
 import org.codehaus.enunciate.jaxrs.TypeHint;
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 
 import sonia.scm.group.Group;
 import sonia.scm.group.GroupException;
 import sonia.scm.group.GroupManager;
-import sonia.scm.util.SecurityUtil;
-import sonia.scm.web.security.WebSecurityContext;
+import sonia.scm.security.Role;
 
 //~--- JDK imports ------------------------------------------------------------
 
 @Singleton
 @ExternallyManagedLifecycle
 public class GroupResource
-        extends AbstractManagerResource<Group, GroupException>
+  extends AbstractManagerResource<Group, GroupException>
 {
 
   /** Field description */
    * @param groupManager
    */
   @Inject
-  public GroupResource(Provider<WebSecurityContext> securityContextProvider,
-                       GroupManager groupManager)
+  public GroupResource(GroupManager groupManager)
   {
     super(groupManager);
-    this.securityContextProvider = securityContextProvider;
   }
 
   //~--- methods --------------------------------------------------------------
   @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
   @Override
   public Response update(@Context UriInfo uriInfo,
-                         @PathParam("id") String name, Group group)
+    @PathParam("id") String name, Group group)
   {
     return super.update(uriInfo, name, group);
   }
   {
     Response response = null;
 
-    if (SecurityUtil.isAdmin(securityContextProvider))
+    if (SecurityUtils.getSubject().hasRole(Role.ADMIN))
     {
       response = super.get(request, id);
     }
   public Response getAll(@Context Request request, @DefaultValue("0")
   @QueryParam("start") int start, @DefaultValue("-1")
   @QueryParam("limit") int limit, @QueryParam("sortby") String sortby,
-                                  @DefaultValue("false")
+    @DefaultValue("false")
   @QueryParam("desc") boolean desc)
   {
     return super.getAll(request, start, limit, sortby, desc);
    */
   @Override
   protected GenericEntity<Collection<Group>> createGenericEntity(
-          Collection<Group> items)
+    Collection<Group> items)
   {
     return new GenericEntity<Collection<Group>>(items) {}
     ;
   {
     return PATH_PART;
   }
-
-  //~--- fields ---------------------------------------------------------------
-
-  /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryImportResource.java

  */
 
 
+
 package sonia.scm.api.rest.resources;
 
 //~--- non-JDK imports --------------------------------------------------------
 
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.codehaus.enunciate.jaxrs.TypeHint;
 import sonia.scm.repository.RepositoryHandler;
 import sonia.scm.repository.RepositoryManager;
 import sonia.scm.util.SecurityUtil;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param securityContextProvider
    */
   @Inject
-  public RepositoryImportResource(
-          RepositoryManager manager,
-          Provider<WebSecurityContext> securityContextProvider)
+  public RepositoryImportResource(RepositoryManager manager)
   {
     this.manager = manager;
-    this.securityContextProvider = securityContextProvider;
   }
 
   //~--- methods --------------------------------------------------------------
   @TypeHint(Repository[].class)
   @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
   public GenericEntity<List<Repository>> importRepositories(
-          @PathParam("type") String type)
+    @PathParam("type") String type)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     List<Repository> repositories = new ArrayList<Repository>();
     RepositoryHandler handler = manager.getHandler(type);
             else if (logger.isWarnEnabled())
             {
               logger.warn("could not find imported repository {}",
-                          repositoryName);
+                repositoryName);
             }
           }
         }
   @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
   public GenericEntity<List<Type>> getImportableTypes()
   {
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     List<Type> types = new ArrayList<Type>();
     Collection<Type> handlerTypes = manager.getTypes();
           else if (logger.isInfoEnabled())
           {
             logger.info("{} handler does not support import of repositories",
-                        t.getName());
+              t.getName());
           }
         }
       }
 
   /** Field description */
   private RepositoryManager manager;
-
-  /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryResource.java

 import com.google.common.base.Strings;
 import com.google.common.io.Closeables;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+
 import org.codehaus.enunciate.jaxrs.TypeHint;
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 
 import sonia.scm.repository.ChangesetPagingResult;
 import sonia.scm.repository.Permission;
 import sonia.scm.repository.PermissionType;
-import sonia.scm.repository.PermissionUtil;
 import sonia.scm.repository.Repository;
 import sonia.scm.repository.RepositoryException;
 import sonia.scm.repository.RepositoryIsNotArchivedException;
 import sonia.scm.repository.api.LogCommandBuilder;
 import sonia.scm.repository.api.RepositoryService;
 import sonia.scm.repository.api.RepositoryServiceFactory;
+import sonia.scm.security.RepositoryPermission;
 import sonia.scm.security.ScmSecurityException;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
   @Inject
   public RepositoryResource(ScmConfiguration configuration,
     RepositoryManager repositoryManager,
-    Provider<WebSecurityContext> securityContextProvider,
     RepositoryServiceFactory servicefactory)
   {
     super(repositoryManager);
     this.configuration = configuration;
     this.repositoryManager = repositoryManager;
     this.servicefactory = servicefactory;
-    this.securityContextProvider = securityContextProvider;
     setDisableCache(false);
   }
 
    */
   private boolean isOwner(Repository repository)
   {
-    return PermissionUtil.hasPermission(repository, securityContextProvider,
-      PermissionType.OWNER);
+
+    return SecurityUtils.getSubject().isPermitted(
+      new RepositoryPermission(repository, PermissionType.OWNER));
   }
 
   //~--- fields ---------------------------------------------------------------
   private RepositoryManager repositoryManager;
 
   /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
-
-  /** Field description */
   private RepositoryServiceFactory servicefactory;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/SearchResource.java

 
 import com.google.common.base.Function;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 import sonia.scm.user.User;
 import sonia.scm.user.UserListener;
 import sonia.scm.user.UserManager;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param cacheManager
    */
   @Inject
-  public SearchResource(Provider<WebSecurityContext> securityContextProvider,
-                        UserManager userManager, GroupManager groupManager,
-                        CacheManager cacheManager)
+  public SearchResource(UserManager userManager, GroupManager groupManager,
+    CacheManager cacheManager)
   {
 
     // create user searchhandler
     Cache<String, SearchResults> userCache =
       cacheManager.getCache(String.class, SearchResults.class, CACHE_USER);
 
-    this.userSearchHandler = new SearchHandler<User>(securityContextProvider,
-            userCache, userManager);
+    this.userSearchHandler = new SearchHandler<User>(userCache, userManager);
 
     // create group searchhandler
     groupManager.addListener(this);
     Cache<String, SearchResults> groupCache =
       cacheManager.getCache(String.class, SearchResults.class, CACHE_GROUP);
 
-    this.groupSearchHandler = new SearchHandler<Group>(securityContextProvider,
-            groupCache, groupManager);
+    this.groupSearchHandler = new SearchHandler<Group>(groupCache,
+      groupManager);
   }
 
   //~--- methods --------------------------------------------------------------
   public SearchResults searchGroups(@QueryParam("query") String queryString)
   {
     return groupSearchHandler.search(queryString,
-                                     new Function<Group, SearchResult>()
+      new Function<Group, SearchResult>()
     {
       @Override
       public SearchResult apply(Group group)
   public SearchResults searchUsers(@QueryParam("query") String queryString)
   {
     return userSearchHandler.search(queryString,
-                                    new Function<User, SearchResult>()
+      new Function<User, SearchResult>()
     {
       @Override
       public SearchResult apply(User user)

scm-webapp/src/main/java/sonia/scm/api/rest/resources/SupportResource.java

 import com.google.common.collect.Maps;
 import com.google.inject.Inject;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 
 import sonia.scm.SCMContextProvider;
 import sonia.scm.plugin.PluginManager;
 import sonia.scm.repository.RepositoryHandler;
 import sonia.scm.repository.RepositoryManager;
+import sonia.scm.security.Role;
+import sonia.scm.security.ScmSecurityException;
 import sonia.scm.store.StoreFactory;
-import sonia.scm.util.SecurityUtil;
 import sonia.scm.util.SystemUtil;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param repositoryManager
    */
   @Inject
-  public SupportResource(WebSecurityContext securityContext,
-    SCMContextProvider context, ScmConfiguration configuration,
-    PluginManager pluginManager, StoreFactory storeFactory,
-    RepositoryManager repositoryManager)
+  public SupportResource(SCMContextProvider context,
+    ScmConfiguration configuration, PluginManager pluginManager,
+    StoreFactory storeFactory, RepositoryManager repositoryManager)
   {
-    this.securityContext = securityContext;
     this.context = context;
     this.configuration = configuration;
     this.pluginManager = pluginManager;
   @Produces(MediaType.TEXT_HTML)
   public Viewable getSupport() throws IOException
   {
-    SecurityUtil.assertIsAdmin(securityContext);
+    Subject subject = SecurityUtils.getSubject();
+
+    if (!subject.hasRole(Role.ADMIN))
+    {
+      throw new ScmSecurityException("admin privileges required");
+    }
 
     Map<String, Object> env = Maps.newHashMap();
 
   private RepositoryManager repositoryManager;
 
   /** Field description */
-  private WebSecurityContext securityContext;
-
-  /** Field description */
   private Class<?> storeFactoryClass;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java

 //~--- non-JDK imports --------------------------------------------------------
 
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+
 import org.codehaus.enunciate.jaxrs.TypeHint;
 import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
 
 import sonia.scm.security.EncryptionHandler;
+import sonia.scm.security.Role;
 import sonia.scm.user.User;
 import sonia.scm.user.UserException;
 import sonia.scm.user.UserManager;
 import sonia.scm.util.AssertUtil;
-import sonia.scm.util.SecurityUtil;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    */
   @Inject
   public UserResource(UserManager userManager,
-                      EncryptionHandler encryptionHandler,
-                      Provider<WebSecurityContext> securityContextProvider)
+    EncryptionHandler encryptionHandler)
   {
     super(userManager);
     this.encryptionHandler = encryptionHandler;
-    this.securityContextProvider = securityContextProvider;
   }
 
   //~--- methods --------------------------------------------------------------
   @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
   @Override
   public Response update(@Context UriInfo uriInfo,
-                         @PathParam("id") String name, User user)
+    @PathParam("id") String name, User user)
   {
     return super.update(uriInfo, name, user);
   }
   {
     Response response = null;
 
-    if (SecurityUtil.isAdmin(securityContextProvider))
+    if (SecurityUtils.getSubject().hasRole(Role.ADMIN))
     {
       response = super.get(request, id);
     }
   public Response getAll(@Context Request request, @DefaultValue("0")
   @QueryParam("start") int start, @DefaultValue("-1")
   @QueryParam("limit") int limit, @QueryParam("sortby") String sortby,
-                                  @DefaultValue("false")
+    @DefaultValue("false")
   @QueryParam("desc") boolean desc)
   {
     return super.getAll(request, start, limit, sortby, desc);
    */
   @Override
   protected GenericEntity<Collection<User>> createGenericEntity(
-          Collection<User> items)
+    Collection<User> items)
   {
     return new GenericEntity<Collection<User>>(items) {}
     ;
 
   /** Field description */
   private EncryptionHandler encryptionHandler;
-
-  /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
 }

scm-webapp/src/main/java/sonia/scm/filter/AdminSecurityFilter.java

 
 //~--- non-JDK imports --------------------------------------------------------
 
-import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
-import sonia.scm.util.SecurityUtil;
-import sonia.scm.web.security.WebSecurityContext;
+import org.apache.shiro.subject.Subject;
+
+import sonia.scm.security.Role;
 
 /**
  *
 {
 
   /**
-   * Constructs ...
-   *
-   *
-   * @param securityContextProvider
-   */
-  @Inject
-  public AdminSecurityFilter(
-          Provider<WebSecurityContext> securityContextProvider)
-  {
-    super(securityContextProvider);
-  }
-
-  //~--- get methods ----------------------------------------------------------
-
-  /**
    * Method description
    *
    *
    * @param securityContext
    *
+   * @param subject
+   *
    * @return
    */
   @Override
-  protected boolean hasPermission(WebSecurityContext securityContext)
+  protected boolean hasPermission(Subject subject)
   {
-    return SecurityUtil.isAdmin(securityContext);
+    return subject.hasRole(Role.ADMIN);
   }
 }

scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java

 
 //~--- non-JDK imports --------------------------------------------------------
 
-import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
+import sonia.scm.user.User;
 import sonia.scm.web.filter.HttpFilter;
 import sonia.scm.web.filter.SecurityHttpServletRequestWrapper;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
   /** Field description */
   public static final String URL_AUTHENTICATION = "/api/rest/authentication";
 
-  //~--- constructors ---------------------------------------------------------
-
-  /**
-   * Constructs ...
-   *
-   *
-   * @param securityContextProvider
-   */
-  @Inject
-  public SecurityFilter(Provider<WebSecurityContext> securityContextProvider)
-  {
-    this.securityContextProvider = securityContextProvider;
-  }
-
   //~--- methods --------------------------------------------------------------
 
   /**
    */
   @Override
   protected void doFilter(HttpServletRequest request,
-                          HttpServletResponse response, FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
-    WebSecurityContext securityContext = securityContextProvider.get();
+    Subject subject = SecurityUtils.getSubject();
 
-    if (securityContext != null)
+    String uri =
+      request.getRequestURI().substring(request.getContextPath().length());
+
+    if (!uri.startsWith(URL_AUTHENTICATION))
     {
-      String uri =
-        request.getRequestURI().substring(request.getContextPath().length());
-
-      if (!uri.startsWith(URL_AUTHENTICATION))
+      if (hasPermission(subject))
       {
-        if (hasPermission(securityContext))
-        {
-          chain.doFilter(new SecurityHttpServletRequestWrapper(request,
-                  securityContext.getUser()), response);
-        }
-        else if (securityContext.isAuthenticated())
-        {
-          response.sendError(HttpServletResponse.SC_FORBIDDEN);
-        }
-        else
-        {
-          response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-        }
+        chain.doFilter(new SecurityHttpServletRequestWrapper(request,
+          subject.getPrincipals().oneByType(User.class)), response);
       }
       else
       {
-        chain.doFilter(request, response);
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
       }
     }
     else
     {
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+      chain.doFilter(request, response);
     }
   }
 
    * Method description
    *
    *
-   * @param securityContext
+   * @param subject
    *
    * @return
    */
-  protected boolean hasPermission(WebSecurityContext securityContext)
+  protected boolean hasPermission(Subject subject)
   {
-    return securityContext.isAuthenticated();
+    return subject.isAuthenticated();
   }
-
-  //~--- fields ---------------------------------------------------------------
-
-  /** Field description */
-  private Provider<WebSecurityContext> securityContextProvider;
 }

scm-webapp/src/main/java/sonia/scm/group/DefaultGroupManager.java

 import sonia.scm.TransformFilter;
 import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
-import sonia.scm.security.SecurityContext;
 import sonia.scm.util.CollectionAppender;
 import sonia.scm.util.SecurityUtil;
 import sonia.scm.util.Util;
    * @param groupListenerProvider
    */
   @Inject
-  public DefaultGroupManager(Provider<SecurityContext> securityContextProvider,
-                             GroupDAO groupDAO,
+  public DefaultGroupManager(GroupDAO groupDAO,
                              Provider<Set<GroupListener>> groupListenerProvider)
   {
-    this.securityContextProvider = securityContextProvider;
     this.groupDAO = groupDAO;
     this.groupListenerProvider = groupListenerProvider;
   }
                   group.getType());
     }
 
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     if (groupDAO.contains(group.getName()))
     {
                   group.getType());
     }
 
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     String name = group.getName();
 
                   group.getType());
     }
 
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     String name = group.getName();
 
                   group.getType());
     }
 
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     Group fresh = groupDAO.get(group.getName());
 
   @Override
   public Collection<Group> getAll(Comparator<Group> comparator)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     List<Group> groups = new ArrayList<Group>();
 
   public Collection<Group> getAll(Comparator<Group> comparator, int start,
                                   int limit)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     return Util.createSubCollection(groupDAO.getAll(), comparator,
                                     new CollectionAppender<Group>()
 
   /** Field description */
   private Provider<Set<GroupListener>> groupListenerProvider;
-
-  /** Field description */
-  private Provider<SecurityContext> securityContextProvider;
 }

scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java

 import sonia.scm.cache.CacheManager;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.net.HttpClient;
-import sonia.scm.security.SecurityContext;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.IOUtil;
 import sonia.scm.util.SecurityUtil;
  */
 @Singleton
 public class DefaultPluginManager
-        implements PluginManager, ConfigChangedListener<ScmConfiguration>
+  implements PluginManager, ConfigChangedListener<ScmConfiguration>
 {
 
   /** Field description */
    * @param clientProvider
    */
   @Inject
-  public DefaultPluginManager(
-          SCMContextProvider context,
-          Provider<SecurityContext> securityContextProvicer,
-          ScmConfiguration configuration, PluginLoader pluginLoader,
-          CacheManager cacheManager, Provider<HttpClient> clientProvider)
+  public DefaultPluginManager(SCMContextProvider context,
+    ScmConfiguration configuration, PluginLoader pluginLoader,
+    CacheManager cacheManager, Provider<HttpClient> clientProvider)
   {
     this.context = context;
-    this.securityContextProvicer = securityContextProvicer;
     this.configuration = configuration;
     this.cache = cacheManager.getCache(String.class, PluginCenter.class,
-                                       CACHE_NAME);
+      CACHE_NAME);
     this.clientProvider = clientProvider;
     installedPlugins = new HashMap<String, Plugin>();
 
   @Override
   public void install(String id)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     PluginCenter center = getPluginCenter();
 
   @Override
   public void uninstall(String id)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     Plugin plugin = installedPlugins.get(id);
 
   @Override
   public void update(String id)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     String[] idParts = id.split(":");
     String groupId = idParts[0];
     for (PluginInformation info : getInstalled())
     {
       if (groupId.equals(info.getGroupId())
-          && artefactId.equals(info.getArtifactId()))
+        && artefactId.equals(info.getArtifactId()))
       {
         installed = info;
 
   @Override
   public PluginInformation get(String id)
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     PluginInformation result = null;
 
   public Set<PluginInformation> get(PluginFilter filter)
   {
     AssertUtil.assertIsNotNull(filter);
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     Set<PluginInformation> infoSet = new HashSet<PluginInformation>();
 
   @Override
   public Collection<PluginInformation> getAll()
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     Set<PluginInformation> infoSet = getInstalled();
 
   @Override
   public Collection<PluginInformation> getAvailable()
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     Set<PluginInformation> availablePlugins = new HashSet<PluginInformation>();
     Set<PluginInformation> centerPlugins = getPluginCenter().getPlugins();
   @Override
   public Set<PluginInformation> getAvailableUpdates()
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     return get(FILTER_UPDATES);
   }
   @Override
   public Set<PluginInformation> getInstalled()
   {
-    SecurityUtil.assertIsAdmin(securityContextProvicer);
+    SecurityUtil.assertIsAdmin();
 
     Set<PluginInformation> infoSet = new LinkedHashSet<PluginInformation>();
 
     }
 
     return url.replace("{version}", context.getVersion()).replace("{os}",
-                       os).replace("{arch}", arch);
+      os).replace("{arch}", arch);
   }
 
   /**
    * @param filter
    */
   private void filter(Set<PluginInformation> target,
-                      Collection<PluginInformation> source, PluginFilter filter)
+    Collection<PluginInformation> source, PluginFilter filter)
   {
     for (PluginInformation info : source)
     {
             if (pluginHandler == null)
             {
               pluginHandler = new AetherPluginHandler(this,
-                      SCMContext.getContext(), configuration);
+                SCMContext.getContext(), configuration);
             }
 
             pluginHandler.setPluginRepositories(center.getRepositories());
       PluginInformation installed = installedPlugin.getInformation();
 
       if (isSamePlugin(available, installed)
-          && (installed.getState() == PluginState.CORE))
+        && (installed.getState() == PluginState.CORE))
       {
         core = true;
 
    * @return
    */
   private boolean isNewer(PluginInformation available,
-                          PluginInformation installed)
+    PluginInformation installed)
   {
     boolean result = false;
     PluginVersion version = PluginVersion.createVersion(available.getVersion());
   private boolean isSamePlugin(PluginInformation p1, PluginInformation p2)
   {
     return p1.getGroupId().equals(p2.getGroupId())
-           && p1.getArtifactId().equals(p2.getArtifactId());
+      && p1.getArtifactId().equals(p2.getArtifactId());
   }
 
   //~--- fields ---------------------------------------------------------------
   private AetherPluginHandler pluginHandler;
 
   /** Field description */
-  private Provider<SecurityContext> securityContextProvicer;
-
-  /** Field description */
   private Unmarshaller unmarshaller;
 }

scm-webapp/src/main/java/sonia/scm/search/SearchHandler.java

 
 import com.google.common.base.Function;
 import com.google.common.collect.Collections2;
-import com.google.inject.Provider;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import sonia.scm.cache.Cache;
-import sonia.scm.util.SecurityUtil;
+import sonia.scm.security.ScmSecurityException;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param cache
    * @param searchable
    */
-  public SearchHandler(Provider<WebSecurityContext> securityContextProvider,
-                       Cache<String, SearchResults> cache,
-                       Searchable<T> searchable)
+  public SearchHandler(Cache<String, SearchResults> cache,
+    Searchable<T> searchable)
   {
-    this.securityContextProvider = securityContextProvider;
+
     this.cache = cache;
     this.searchable = searchable;
   }
    * @return
    */
   public SearchResults search(String queryString,
-                              Function<T, SearchResult> function)
+    Function<T, SearchResult> function)
   {
-    SecurityUtil.assertIsNotAnonymous(securityContextProvider);
+    Subject subject = SecurityUtils.getSubject();
+
+    if (!subject.isAuthenticated())
+    {
+      throw new ScmSecurityException("Authentication is required");
+    }
 
     if (Util.isEmpty(queryString))
     {
   protected Searchable<T> searchable;
 
   /** Field description */
-  protected Provider<WebSecurityContext> securityContextProvider;
-
-  /** Field description */
   private int maxResults = 5;
 
   /** Field description */

scm-webapp/src/main/java/sonia/scm/user/DefaultUserManager.java

 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import sonia.scm.TransformFilter;
 import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
+import sonia.scm.security.Role;
 import sonia.scm.security.ScmSecurityException;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.CollectionAppender;
 import sonia.scm.util.IOUtil;
 import sonia.scm.util.SecurityUtil;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
 
    * @param userListenerProvider
    */
   @Inject
-  public DefaultUserManager(
-          Provider<WebSecurityContext> scurityContextProvider, UserDAO userDAO,
-          Provider<Set<UserListener>> userListenerProvider)
+  public DefaultUserManager(UserDAO userDAO,
+    Provider<Set<UserListener>> userListenerProvider)
   {
-    this.scurityContextProvider = scurityContextProvider;
     this.userDAO = userDAO;
     this.userListenerProvider = userListenerProvider;
   }
       logger.info("create user {} of type {}", user.getName(), user.getType());
     }
 
-    User currentUser = SecurityUtil.getCurrentUser(scurityContextProvider);
+    Subject subject = SecurityUtils.getSubject();
 
-    if (!user.equals(currentUser) &&!currentUser.isAdmin())
+    if (!subject.isAuthenticated())
+    {
+      throw new ScmSecurityException("user is not authenticated");
+    }
+
+    User currentUser = subject.getPrincipals().oneByType(User.class);
+
+    if (!user.equals(currentUser) &&!subject.hasRole(Role.ADMIN))
     {
       throw new ScmSecurityException("admin account is required");
     }
       logger.info("delete user {} of type {}", user.getName(), user.getType());
     }
 
-    SecurityUtil.assertIsAdmin(scurityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     String name = user.getName();
 
       logger.info("modify user {} of type {}", user.getName(), user.getType());
     }
 
-    User currentUser = SecurityUtil.getCurrentUser(scurityContextProvider);
+    Subject subject = SecurityUtils.getSubject();
 
-    if (!user.getName().equals(currentUser.getName()) &&!currentUser.isAdmin())
+    if (!subject.isAuthenticated())
+    {
+      throw new ScmSecurityException("user is not authenticated");
+    }
+
+    User currentUser = subject.getPrincipals().oneByType(User.class);
+
+    if (!user.getName().equals(currentUser.getName())
+      &&!subject.hasRole(Role.ADMIN))
     {
       throw new ScmSecurityException("admin account is required");
     }
       logger.info("refresh user {} of type {}", user.getName(), user.getType());
     }
 
-    SecurityUtil.assertIsAdmin(scurityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     User fresh = userDAO.get(user.getName());
 
     }
 
     return SearchUtil.search(searchRequest, userDAO.getAll(),
-                             new TransformFilter<User>()
+      new TransformFilter<User>()
     {
       @Override
       public User accept(User user)
         User result = null;
 
         if (SearchUtil.matchesOne(searchRequest, user.getName(),
-                                  user.getDisplayName(), user.getMail()))
+          user.getDisplayName(), user.getMail()))
         {
           result = user.clone();
         }
   @Override
   public Collection<User> getAll(Comparator<User> comparator)
   {
-    SecurityUtil.assertIsAdmin(scurityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     List<User> users = new ArrayList<User>();
 
    */
   @Override
   public Collection<User> getAll(Comparator<User> comaparator, int start,
-                                 int limit)
+    int limit)
   {
-    SecurityUtil.assertIsAdmin(scurityContextProvider);
+    SecurityUtil.assertIsAdmin();
 
     return Util.createSubCollection(userDAO.getAll(), comaparator,
-                                    new CollectionAppender<User>()
+      new CollectionAppender<User>()
     {
       @Override
       public void append(Collection<User> collection, User item)
   //~--- fields ---------------------------------------------------------------
 
   /** Field description */
-  private Provider<WebSecurityContext> scurityContextProvider;
-
-  /** Field description */
   private UserDAO userDAO;
 
   /** Field description */

scm-webapp/src/main/java/sonia/scm/web/security/ApiBasicAuthenticationFilter.java

 
 //~--- non-JDK imports --------------------------------------------------------
 
-import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import sonia.scm.web.filter.BasicAuthenticationFilter;
   /** Field description */
   public static final String URI_STATE = "/api/rest/authentication/state";
 
-  //~--- constructors ---------------------------------------------------------
-
-  /**
-   * Constructs ...
-   *
-   *
-   * @param securityContextProvider
-   */
-  @Inject
-  public ApiBasicAuthenticationFilter(
-          Provider<WebSecurityContext> securityContextProvider)
-  {
-    super(securityContextProvider);
-  }
-
   //~--- methods --------------------------------------------------------------
 
   /**
    */
   @Override
   protected void doFilter(HttpServletRequest request,
-                          HttpServletResponse response, FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
 
     // skip filter on authentication resource
     if (request.getRequestURI().contains(URI_LOGIN)
-        || request.getRequestURI().contains(URI_STATE)
-        || request.getRequestURI().contains(URI_LOGOUT))
+      || request.getRequestURI().contains(URI_STATE)
+      || request.getRequestURI().contains(URI_LOGOUT))
     {
       chain.doFilter(request, response);
     }
    */
   @Override
   protected void handleUnauthorized(HttpServletRequest request,
-                                    HttpServletResponse response,
-                                    FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
     chain.doFilter(request, response);
   }

scm-webapp/src/main/java/sonia/scm/web/security/SecurityUtil.java

 /**
  *
  * @author Sebastian Sdorra
+ * @deprecated 
  */
+@Deprecated
 public class SecurityUtil
 {
 

scm-webapp/src/test/java/sonia/scm/user/DefaultUserManagerTest.java

 
 import java.util.HashSet;
 import java.util.Set;
+import org.junit.Before;
 
 /**
  *
  */
 public class DefaultUserManagerTest extends UserManagerTestBase
 {
+  
+  @Before
+  public void setAdminSubject(){
+    setSubject(MockUtil.createAdminSubject());
+  }
 
   /**
    * Method description
     when(listenerProvider.get()).thenReturn(new HashSet<UserListener>());
 
     XmlUserDAO userDAO = new XmlUserDAO(factory);
-
-    return new DefaultUserManager(MockUtil.getAdminSecurityContextProvider(),
-                                  userDAO, listenerProvider);
+    
+    return new DefaultUserManager(userDAO, listenerProvider);
   }
 }

scm-webapp/src/test/java/sonia/scm/web/security/DefaultAuthenticationHandlerTest.java

 import sonia.scm.security.MessageDigestEncryptionHandler;
 import sonia.scm.store.JAXBStoreFactory;
 import sonia.scm.store.StoreFactory;
+import sonia.scm.user.DefaultUserManager;
 import sonia.scm.user.User;
 import sonia.scm.user.UserListener;
 import sonia.scm.user.UserTestData;
-import sonia.scm.user.DefaultUserManager;
+import sonia.scm.user.xml.XmlUserDAO;
 import sonia.scm.util.MockUtil;
 
 import static org.junit.Assert.*;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import sonia.scm.user.xml.XmlUserDAO;
 
 /**
  *
     when(listenerProvider.get()).thenReturn(new HashSet<UserListener>());
 
     XmlUserDAO userDAO = new XmlUserDAO(storeFactory);
-    
-    DefaultUserManager userManager =
-      new DefaultUserManager(MockUtil.getAdminSecurityContextProvider(),
-                         userDAO, listenerProvider);
+
+    setSubject(MockUtil.createAdminSubject());
+
+    DefaultUserManager userManager = new DefaultUserManager(userDAO,
+                                       listenerProvider);
 
     userManager.init(contextProvider);
     userManager.create(slarti);
+    clearSubject();
+
     handler = new DefaultAuthenticationHandler(userManager, enc);
     handler.init(contextProvider);
     request = MockUtil.getHttpServletRequest();