Fix login redirect loop when auth.type = HTTP
In commit eb81d926 I modified the HttpAuthFilter to verify not
only the Gerrit session cookie was valid, but also to confirm the
session matches the username supplied by the container or reverse
proxy web server.
This check fails on Apache servers that use the recommended setting
of required user only on <Location /login/>. Browsers will not send
the Authorization header to /, so the remote user is null and Gerrit
thinks the session was not valid.
Commit eb81d926 added this check to handle SSO cases where every
request is authenticated and the user has performed some SSO action
to switch user identities as described in issue 1822.
Handle both cases more gracefully by only checking the username if
the container is supplying one.
Bug: issue 1862
Change-Id: Iad020049d7ba8a19d6f9c627ecf0d9df62aafafc
1 file changed
