Reduce SecurityFilter to user injection and enable SecurityInterceptor

Remove all the unnecessary stuff and all endpoints that would be no
longer secure.

scm-webapp/src/main/java/sonia/scm/security/AllowAnonymousAccess.java

@@ -0,0 +1,11 @@
+package sonia.scm.security;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AllowAnonymousAccess {
+}

scm-webapp/src/main/java/sonia/scm/security/SecurityInterceptor.java

@@ -2,11 +2,28 @@ package sonia.scm.security;
 
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.subject.Subject;
 
 public class SecurityInterceptor implements MethodInterceptor {
 
   @Override
   public Object invoke(MethodInvocation methodInvocation) throws Throwable {
-    return methodInvocation.proceed();
+    if (hasPermission() || anonymousAccessIsAllowed(methodInvocation)) {
+      return methodInvocation.proceed();
+    } else {
+      throw new AuthenticationException();
+    }
+  }
+
+  private boolean anonymousAccessIsAllowed(MethodInvocation methodInvocation) {
+    return methodInvocation.getMethod().isAnnotationPresent(AllowAnonymousAccess.class)
+      || methodInvocation.getMethod().getDeclaringClass().isAnnotationPresent(AllowAnonymousAccess.class);
+  }
+
+  private boolean hasPermission() {
+    Subject subject = SecurityUtils.getSubject();
+    return subject.isAuthenticated() || subject.isRemembered();
   }
 }