commit 01c8be6c332adeb45300a7e4a41e98524348e927
author Luca Milanesio <luca.milanesio@gmail.com> Thu Dec 15 22:23:32 2022 +0000
committer Luca Milanesio <luca.milanesio@gmail.com> Thu Dec 15 22:27:11 2022 +0000
tree 84675360a547c4e6b5e888d8c04241cb24688906
parent 7c6862cbd1cd2ac8b36ab5fc681375a721f26b14

Create HTTP session only for login requests

Previously the SAML filter was creating a new Jetty HTTP
session for any request to Gerrit, including the ones that
are not supposed to go through a SAML authentication handshake.

Delay the creation of the session and fetching of the user
until the request has to process that information for a login
authentication flow.

Allow to massively reduce the number of sessions created
and also minimize the associated resource allocation.

Change-Id: I81af508f550b1c32e03616de0e82e7af99cbc880

src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
index dddb17a..7307910 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
@@ -134,13 +134,13 @@
     */
     HttpServletRequest httpRequest = new AnonymousHttpRequest((HttpServletRequest) incomingRequest);
     HttpServletResponse httpResponse = (HttpServletResponse) response;
-    AuthenticatedUser user = userFromRequest(httpRequest);
 
     try {
       if (isSamlPostback(httpRequest)) {
         J2EContext context = new J2EContext(httpRequest, httpResponse);
         signin(context);
       } else if (isGerritLogin(httpRequest)) {
+        AuthenticatedUser user = userFromRequest(httpRequest);
         if (user == null) {
           J2EContext context = new J2EContext(httpRequest, httpResponse);
           redirectToIdentityProvider(context);