More flexible authentication. Anonymous view, authenticated admin.

gitblit.properties

@@ -26,8 +26,11 @@ git.cloneUrl = https://localhost/git/
 # Require authentication for http/https push/pull access of git repositories
 git.authenticate = true
 
-# Require authentication to see the web ui
-web.authenticate = true
+# Require authentication to see everything but the admin pages
+web.authenticateViewPages = false
+
+# Require admin authentication for the admin functions and pages
+web.authenticateAdminPages = true
 
 # Simple user realm file to authenticate users
 server.realmFile = users.properties

src/com/gitblit/wicket/AuthorizationStrategy.java

@@ -5,6 +5,8 @@ import org.apache.wicket.RestartResponseAtInterceptPageException;
 import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
 import org.apache.wicket.authorization.strategies.page.AbstractPageAuthorizationStrategy;
 
+import com.gitblit.GitBlit;
+import com.gitblit.Keys;
 import com.gitblit.wicket.pages.RepositoriesPage;
 
 public class AuthorizationStrategy extends AbstractPageAuthorizationStrategy implements IUnauthorizedComponentInstantiationListener {
@@ -16,12 +18,34 @@ public class AuthorizationStrategy extends AbstractPageAuthorizationStrategy imp
 	@Override
 	protected boolean isPageAuthorized(Class pageClass) {
 		if (BasePage.class.isAssignableFrom(pageClass)) {
-			GitBlitWebSession session = GitBlitWebSession.get();
-			if (!session.isLoggedIn())
+			boolean authenticateView = GitBlit.self().settings().getBoolean(Keys.web.authenticateViewPages, true);
+			boolean authenticateAdmin = GitBlit.self().settings().getBoolean(Keys.web.authenticateAdminPages, true);
+			boolean allowAdmin = GitBlit.self().settings().getBoolean(Keys.web.allowAdministration, true);
+			
+			GitBlitWebSession session = GitBlitWebSession.get();			
+			if (authenticateView && !session.isLoggedIn()) {
+				// authentication required
 				return false;
+			}
+			
 			User user = session.getUser();
 			if (pageClass.isAnnotationPresent(AdminPage.class)) {
-				return user.canAdmin();
+				// admin page
+				if (allowAdmin) {
+					if (authenticateAdmin) {
+						// authenticate admin
+						if (user != null) {
+							return user.canAdmin();
+						}
+						return false;
+					} else {
+						// no admin authentication required
+						return true;
+					}
+				} else {
+					//admin prohibited
+					return false;
+				}
 			}
 		}
 		return true;

src/com/gitblit/wicket/BasePage.java

@@ -46,10 +46,15 @@ public abstract class BasePage extends WebPage {
 		add(new Label("pageName", pageName));
 
 		// footer
-		User user = null;
-		if (GitBlit.self().settings().getBoolean(Keys.web.authenticate, true)) {
-			user = GitBlitWebSession.get().getUser();
-			add(new LinkPanel("userPanel", null, getString("gb.logout") + " " + user.toString(), LogoutPage.class));
+		if (GitBlit.self().settings().getBoolean(Keys.web.authenticateViewPages, true)
+				|| GitBlit.self().settings().getBoolean(Keys.web.authenticateAdminPages, true)) {
+			if (GitBlitWebSession.get().isLoggedIn()) {
+				// logout
+				add(new LinkPanel("userPanel", null, getString("gb.logout") + " " + GitBlitWebSession.get().getUser().toString(), LogoutPage.class));
+			} else {
+				// login
+				add(new LinkPanel("userPanel", null, getString("gb.login"), LoginPage.class));				
+			}
 		} else {
 			add(new Label("userPanel", ""));
 		}

src/com/gitblit/wicket/GitBlitWebApp.java

@@ -35,7 +35,8 @@ public class GitBlitWebApp extends WebApplication {
 		super.init();
 
 		// Setup page authorization mechanism
-		if (GitBlit.self().settings().getBoolean(Keys.web.authenticate, false)) {
+		boolean useAuthentication = GitBlit.self().settings().getBoolean(Keys.web.authenticateViewPages, false) || GitBlit.self().settings().getBoolean(Keys.web.authenticateAdminPages, false);
+		if (useAuthentication) {
 			AuthorizationStrategy authStrategy = new AuthorizationStrategy();
 			getSecuritySettings().setAuthorizationStrategy(authStrategy);
 			getSecuritySettings().setUnauthorizedComponentInstantiationListener(authStrategy);
@@ -65,7 +66,7 @@ public class GitBlitWebApp extends WebApplication {
 		mount(new MixedParamUrlCodingStrategy("/ticgittkt", TicGitTicketPage.class, new String[] { "r", "h", "f" }));
 
 		// setup login/logout urls, if we are using authentication
-		if (GitBlit.self().settings().getBoolean(Keys.web.authenticate, true)) {
+		if (useAuthentication) {
 			mount(new MixedParamUrlCodingStrategy("/login", LoginPage.class, new String[] {}));
 			mount(new MixedParamUrlCodingStrategy("/logout", LogoutPage.class, new String[] {}));
 		}

src/com/gitblit/wicket/pages/RepositoriesPage.java

@@ -33,7 +33,7 @@ public class RepositoriesPage extends BasePage {
 		setupPage("", "");
 
 		boolean showAdmin = false;
-		if (GitBlit.self().settings().getBoolean(Keys.web.authenticate, true)) {
+		if (GitBlit.self().settings().getBoolean(Keys.web.authenticateAdminPages, true)) {
 			boolean allowAdmin = GitBlit.self().settings().getBoolean(Keys.web.allowAdministration, false);
 			showAdmin = allowAdmin && GitBlitWebSession.get().canAdmin();
 		} else {