Allow WebSession to check XSRF token

I broke the way gerrit-review verifies the user's XSRF token on the
older-style JSON-RPC invocations. Allow the WebSession implementation
to check the token by passing in the entire token string, rather than
looking to see if it is equal.

Change-Id: Ib3cc7d08ae44e8ef79a2ae8f669897d252acc586

gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java

@@ -137,6 +137,11 @@ public final class CacheBasedWebSession implements WebSession {
     return isSignedIn() ? "Bearer " + key.getToken() : null;
   }
 
+  @Override
+  public boolean isValidAuthorization(String keyIn) {
+    return keyIn.equals(getAuthorization());
+  }
+
   public AccountExternalId.Key getLastLoginExternalId() {
     return val != null ? val.getExternalId() : null;
   }

gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java

@@ -24,6 +24,8 @@ public interface WebSession {
 
   public String getAuthorization();
 
+  public boolean isValidAuthorization(String keyIn);
+
   public AccountExternalId.Key getLastLoginExternalId();
 
   public CurrentUser getCurrentUser();

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/GerritJsonServlet.java

@@ -249,7 +249,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
       } else {
         // The session must exist, and must be using this token.
         //
-        return session.isSignedIn() && keyIn.equals(session.getAuthorization());
+        return session.isSignedIn() && session.isValidAuthorization(keyIn);
       }
     }