2 files changed, 22 insertions, 2 deletions

diff --git a/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java b/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java
index e75d8feada..55ffef797b 100644
--- a/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java
+++ b/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java
@@ -99,7 +99,7 @@ class ProjectBasicAuthFilter implements Filter {
     HttpServletRequest req = (HttpServletRequest) request;
     Response rsp = new Response((HttpServletResponse) response);
 
-    if (verify(req, rsp)) {
+    if (session.get().isSignedIn() || verify(req, rsp)) {
       chain.doFilter(req, rsp);
     }
   }
diff --git a/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java b/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java
index 1f06472f59..f7792ed2d3 100644
--- a/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java
+++ b/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java
@@ -142,6 +142,27 @@ public class ProjectBasicAuthFilterTest {
   }
 
   @Test
+  public void shouldNotReauthenticateIfAlreadySignedIn() throws Exception {
+    req.addHeader(
+        "Authorization",
+        "Basic "
+            + B64_ENC.encodeToString(
+                (AUTH_USER + ":" + AUTH_PASSWORD).getBytes(StandardCharsets.UTF_8)));
+    res.setStatus(HttpServletResponse.SC_OK);
+
+    doReturn(true).when(webSession).isSignedIn();
+
+    ProjectBasicAuthFilter basicAuthFilter =
+        new ProjectBasicAuthFilter(webSessionItem, accountCache, accountManager, authConfig);
+
+    basicAuthFilter.doFilter(req, res, chain);
+
+    verify(accountManager, never()).authenticate(any());
+    verify(chain).doFilter(eq(req), any());
+    assertThat(res.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+  }
+
+  @Test
   public void shouldFailedAuthenticationAgainstRealm() throws Exception {
     req.addHeader(
         "Authorization",
@@ -157,7 +178,6 @@ public class ProjectBasicAuthFilterTest {
         new ProjectBasicAuthFilter(webSessionItem, accountCache, accountManager, authConfig);
 
     basicAuthFilter.doFilter(req, res, chain);
-    basicAuthFilter.destroy();
 
     verify(accountManager).authenticate(any());