From 04b5e3cd3211095517df787f2977f79ac43a70be Mon Sep 17 00:00:00 2001
From: Rick Herrick <jrherrick@wustl.edu>
Date: Tue, 9 Aug 2016 00:07:25 -0500
Subject: [PATCH] XNAT-4450 Fixed issues where
 UsernamePasswordAuthenticationToken objects were passed for guest user,
 confusing anon access and causing redirects to login page. Cleaned up
 confusing log4j2 references.

---
 .../nrg/xnat/configuration/ReactorConfig.java |  4 --
 .../xnat/restlet/guard/XnatSecureGuard.java   | 15 ++-----
 .../restlet/resources/SecureResource.java     |  3 +-
 .../modules/screens/PublicProjectView.java    | 39 +++++++++----------
 4 files changed, 22 insertions(+), 39 deletions(-)

diff --git a/src/main/java/org/nrg/xnat/configuration/ReactorConfig.java b/src/main/java/org/nrg/xnat/configuration/ReactorConfig.java
index 13f555e7..c12fc080 100755
--- a/src/main/java/org/nrg/xnat/configuration/ReactorConfig.java
+++ b/src/main/java/org/nrg/xnat/configuration/ReactorConfig.java
@@ -2,15 +2,11 @@ package org.nrg.xnat.configuration;
 
 import org.nrg.framework.services.NrgEventService;
 import org.nrg.xft.event.listeners.XftItemEventListener;
-import org.nrg.xnat.event.conf.EventPackages;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import reactor.Environment;
 import reactor.bus.EventBus;
 
-import java.util.Arrays;
-import java.util.HashSet;
-
 /**
  * The Class ReactorConfig.
  */
diff --git a/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java b/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java
index ebbcdb05..189541b3 100644
--- a/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java
+++ b/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java
@@ -102,23 +102,14 @@ public class XnatSecureGuard extends Filter {
             }
             return true;
         } else {
-			UserI user;
 			final ChallengeResponse challengeResponse = request.getChallengeResponse();
 			if (challengeResponse != null) {
-				user = authenticateBasic(challengeResponse);
+				UserI user = authenticateBasic(challengeResponse);
 				if (user != null) {
 					return true;
 				}
-			}
-			else if (!XDAT.getSiteConfigPreferences().getRequireLogin()) {
-				try {
-					user=Users.getGuest();
-					if (user!=null) {
-						return true;
-					}
-				} catch (Exception e) {
-					logger.error("",e);
-				}
+			} else {
+				return !XDAT.getSiteConfigPreferences().getRequireLogin();
 			}
 		}
 		return false;
diff --git a/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java b/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
index 49409e2b..094b753f 100644
--- a/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
+++ b/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
@@ -151,8 +151,7 @@ public abstract class SecureResource extends Resource {
         user = XDAT.getUserDetails();
         if(user==null && !XDAT.getSiteConfigPreferences().getRequireLogin()){
             try {
-                user = Users.getGuest();
-                XDAT.setUserDetails(user);
+                XDAT.setGuestUserDetails();
             } catch (Exception e) {
                 logger.error("",e);
             }
diff --git a/src/main/java/org/nrg/xnat/turbine/modules/screens/PublicProjectView.java b/src/main/java/org/nrg/xnat/turbine/modules/screens/PublicProjectView.java
index ea63bfe2..540372e0 100644
--- a/src/main/java/org/nrg/xnat/turbine/modules/screens/PublicProjectView.java
+++ b/src/main/java/org/nrg/xnat/turbine/modules/screens/PublicProjectView.java
@@ -10,42 +10,39 @@
  */
 package org.nrg.xnat.turbine.modules.screens;
 
-import java.util.ArrayList;
-
 import org.apache.turbine.modules.screens.VelocityScreen;
 import org.apache.turbine.util.RunData;
 import org.apache.velocity.context.Context;
+import org.nrg.xdat.XDAT;
 import org.nrg.xdat.om.XnatProjectdata;
 import org.nrg.xdat.security.SecurityManager;
 import org.nrg.xdat.security.helpers.Permissions;
-import org.nrg.xdat.security.helpers.Users;
-import org.nrg.xdat.turbine.utils.TurbineUtils;
 import org.nrg.xft.security.UserI;
 
-public class PublicProjectView extends VelocityScreen {
+import java.util.ArrayList;
+import java.util.List;
 
-    /* (non-Javadoc)
-     * @see org.apache.turbine.modules.screens.VelocityScreen#doBuildTemplate(org.apache.turbine.util.RunData, org.apache.velocity.context.Context)
+@SuppressWarnings("unused")
+public class PublicProjectView extends VelocityScreen {
+    /**
+     * {@inheritDoc}
      */
     @Override
     protected void doBuildTemplate(RunData data, Context context) throws Exception {
-        UserI user = TurbineUtils.getUser(data);
-        
-        if (user==null){
-        	user=Users.getGuest();
-            TurbineUtils.setUser(data, user);
-        } 
-        ArrayList allProjects = new ArrayList();
-        
-        for(XnatProjectdata p :XnatProjectdata.getAllXnatProjectdatas(user, false)){
-            if (Permissions.can(user,p.getItem(), SecurityManager.ACTIVATE)){
+        UserI user = XDAT.getUserDetails();
+
+        if (user == null) {
+            XDAT.setGuestUserDetails();
+        }
+
+        final List<XnatProjectdata> allProjects = new ArrayList<>();
+
+        for (XnatProjectdata p : XnatProjectdata.getAllXnatProjectdatas(user, false)) {
+            if (Permissions.can(user, p.getItem(), SecurityManager.ACTIVATE)) {
                 allProjects.add(p);
             }
         }
-        
+
         context.put("projects", allProjects);
-        
     }
-
-
 }
-- 
GitLab