Create HTTP session only for login requests
Previously the SAML filter was creating a new Jetty HTTP
session for any request to Gerrit, including the ones that
are not supposed to go through a SAML authentication handshake.
Delay the creation of the session and fetching of the user
until the request has to process that information for a login
authentication flow.
Allow to massively reduce the number of sessions created
and also minimize the associated resource allocation.
Change-Id: I81af508f550b1c32e03616de0e82e7af99cbc880
diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
index dddb17a..7307910 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
@@ -134,13 +134,13 @@
*/
HttpServletRequest httpRequest = new AnonymousHttpRequest((HttpServletRequest) incomingRequest);
HttpServletResponse httpResponse = (HttpServletResponse) response;
- AuthenticatedUser user = userFromRequest(httpRequest);
try {
if (isSamlPostback(httpRequest)) {
J2EContext context = new J2EContext(httpRequest, httpResponse);
signin(context);
} else if (isGerritLogin(httpRequest)) {
+ AuthenticatedUser user = userFromRequest(httpRequest);
if (user == null) {
J2EContext context = new J2EContext(httpRequest, httpResponse);
redirectToIdentityProvider(context);