Do not resolve external groups for system accounts (#1541)

This change modifies the behaviour of the DefaultGroupCollector.
The collector does not longer resolve external groups for the anonymous user and it does not resolve internal nor external groups for the account which is used by the AdministrationContext.
This should reduce the requests which are send to external systems like ldap servers.

scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.group;
 
 import com.cronutils.utils.VisibleForTesting;
@@ -63,13 +63,16 @@ public class DefaultGroupCollector implements GroupCollector {
   public Set<String> collect(String principal) {
     ImmutableSet.Builder<String> builder = ImmutableSet.builder();
 
-    if (!Authentications.isSubjectAnonymous(principal)) {
+    if (Authentications.isSubjectAnonymous(principal)) {
+      appendInternalGroups(principal, builder);
+    } else if (Authentications.isSubjectSystemAccount(principal)) {
       builder.add(AUTHENTICATED);
+    } else {
+      builder.add(AUTHENTICATED);
+      builder.addAll(resolveExternalGroups(principal));
+      appendInternalGroups(principal, builder);
     }
 
-    builder.addAll(resolveExternalGroups(principal));
-    appendInternalGroups(principal, builder);
-
     Set<String> groups = builder.build();
     LOG.debug("collected following groups for principal {}: {}", principal, groups);
     return groups;

scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextRealm.java

@@ -21,11 +21,10 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.web.security;
 
 import com.google.common.collect.Sets;
-import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authz.AuthorizationInfo;

scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.web.security;
 
 //~--- non-JDK imports --------------------------------------------------------
@@ -39,13 +39,11 @@ import org.apache.shiro.util.ThreadState;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import sonia.scm.SCMContext;
+import sonia.scm.security.Authentications;
 import sonia.scm.security.Role;
 import sonia.scm.user.User;
 import sonia.scm.util.AssertUtil;
 
-import javax.xml.bind.JAXB;
-import java.net.URL;
-
 //~--- JDK imports ------------------------------------------------------------
 
 /**
@@ -57,8 +55,13 @@ public class DefaultAdministrationContext implements AdministrationContext
 {
 
   /** Field description */
-  public static final String SYSTEM_ACCOUNT =
-    "/sonia/scm/web/security/system-account.xml";
+  private static final User SYSTEM_ACCOUNT = new User(
+    Authentications.PRINCIPAL_SYSTEM,
+    "SCM-Manager System Account",
+    null
+  );
+
+
 
   /** Field description */
   static final String REALM = "AdminRealm";
@@ -83,16 +86,7 @@ public class DefaultAdministrationContext implements AdministrationContext
     this.injector = injector;
     this.securityManager = securityManager;
 
-    URL url = DefaultAdministrationContext.class.getResource(SYSTEM_ACCOUNT);
-
-    if (url == null)
-    {
-      throw new RuntimeException("could not find resource for system account");
-    }
-
-    User adminUser = JAXB.unmarshal(url, User.class);
-
-    principalCollection = createAdminCollection(adminUser);
+    principalCollection = createAdminCollection(SYSTEM_ACCOUNT);
   }
 
   //~--- methods --------------------------------------------------------------