Commits

Sebastian Sdorra  committed acfb569

use apache shiro api for authentication over the BasicAuthenticationFilter

  • Participants
  • Parent commits 314eb37
  • Branches apache-shiro

Comments (0)

Files changed (1)

File scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java

 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.subject.Subject;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import sonia.scm.security.ScmAuthenticationToken;
 import sonia.scm.user.User;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.HttpUtil;
 
   /**
    * Constructs ...
+   * @since 1.21
+   */
+  public BasicAuthenticationFilter() {}
+
+  /**
+   * Constructs ...
    *
    *
    * @param securityContextProvider
+   * @deprecated use the constructor with out arguments instead.
    */
-  @Inject
+  @Deprecated
   public BasicAuthenticationFilter(
-          Provider<WebSecurityContext> securityContextProvider)
+    Provider<WebSecurityContext> securityContextProvider)
   {
     this.securityContextProvider = securityContextProvider;
   }
    */
   @Override
   protected void doFilter(HttpServletRequest request,
-                          HttpServletResponse response, FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
-    WebSecurityContext securityContext = securityContextProvider.get();
-
-    AssertUtil.assertIsNotNull(securityContext);
+    Subject subject = SecurityUtils.getSubject();
 
     User user = null;
     String authentication = request.getHeader(HEADER_AUTHORIZATION);
         logger.trace("found basic authorization header, start authentication");
       }
 
-      user = authenticate(request, response, securityContext, authentication);
+      user = authenticate(request, response, subject, authentication);
 
       if (logger.isTraceEnabled())
       {
         }
       }
     }
-    else if (securityContext.isAuthenticated())
+    else if (subject.isAuthenticated())
     {
       if (logger.isTraceEnabled())
       {
         logger.trace("user is allready authenticated");
       }
 
-      user = securityContext.getUser();
+      user = subject.getPrincipals().oneByType(User.class);
     }
 
     if (user == null)
     else
     {
       chain.doFilter(new SecurityHttpServletRequestWrapper(request, user),
-                     response);
+        response);
     }
   }
 
    * @since 1.8
    */
   protected void handleUnauthorized(HttpServletRequest request,
-                                    HttpServletResponse response,
-                                    FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
     HttpUtil.sendUnauthorized(request, response);
   }
    * @param request
    * @param response
    * @param securityContext
+   * @param subject
    * @param authentication
    *
    * @return
    */
   private User authenticate(HttpServletRequest request,
-                            HttpServletResponse response,
-                            WebSecurityContext securityContext,
-                            String authentication)
+    HttpServletResponse response, Subject subject, String authentication)
   {
     String token = authentication.substring(6);
 
           logger.trace("try to authenticate user {}", username);
         }
 
-        user = securityContext.authenticate(request, response, username,
-                password);
+        try
+        {
+
+          subject.login(new ScmAuthenticationToken(request, response, username,
+            password));
+          user = subject.getPrincipals().oneByType(User.class);
+        }
+        catch (AuthenticationException ex)
+        {
+          logger.warn("authentication failed", ex);
+        }
       }
       else if (logger.isWarnEnabled())
       {