Merge branch 'stable-2.16' into stable-3.0
* stable-2.16:
Create HTTP session only for login requests
Change-Id: I432b5917224f4e56c6167384ba069d7976718aee
diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
index ee4c72f..2c6549f 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
@@ -145,13 +145,13 @@
*/
HttpServletRequest httpRequest = new AnonymousHttpRequest((HttpServletRequest) incomingRequest);
HttpServletResponse httpResponse = (HttpServletResponse) response;
- AuthenticatedUser user = userFromRequest(httpRequest);
try {
if (isSamlPostback(httpRequest)) {
J2EContext context = new J2EContext(httpRequest, httpResponse);
signin(context);
} else if (isGerritLogin(httpRequest)) {
+ AuthenticatedUser user = userFromRequest(httpRequest);
if (user == null) {
J2EContext context = new J2EContext(httpRequest, httpResponse);
redirectToIdentityProvider(context);