diff --git a/routers/web/web.go b/routers/web/web.go index 78c88fb93..48f910274 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler { // The Session plugin is expected to be executed second, in order to skip authentication // for users that have already signed in. func buildAuthGroup() *auth_service.Group { - group := auth_service.NewGroup( - &auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers - &auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers - &auth_service.Session{}, - ) + group := auth_service.NewGroup() + group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers + group.Add(&auth_service.Basic{}) // FIXME: this should be removed and only applied in download and git/lfs routers + if setting.Service.EnableReverseProxyAuth { - group.Add(&auth_service.ReverseProxy{}) + group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login } + group.Add(&auth_service.Session{}) if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) { group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI