auth-check: Set content length only if authorization is valid

The HTTP Content-Length header is optional. We set it in the
auth-check servlet, so that clients can close the connection
early in case there is no content.

For HTTP FORBIDDEN, the content length seems to be non-zero.
A discrepancy between the content length header and the
actual content length triggers a warning in some HTTP servers.

This commit sets the content length only in the NO_CONTENT
case.

Change-Id: I5ac27bbf77c964e998c7dc2bfba9e912a9c26ccb

java/com/google/gerrit/httpd/raw/AuthorizationCheckServlet.java

@@ -43,8 +43,8 @@ public class AuthorizationCheckServlet extends HttpServlet {
   @Override
   protected void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
     CacheHeaders.setNotCacheable(res);
-    res.setContentLength(0);
     if (user.get().isIdentifiedUser()) {
+      res.setContentLength(0);
       res.setStatus(HttpServletResponse.SC_NO_CONTENT);
     } else {
       res.setStatus(HttpServletResponse.SC_FORBIDDEN);

javatests/com/google/gerrit/acceptance/rest/auth/AuthenticationCheckIT.java

@@ -14,8 +14,6 @@
 
 package com.google.gerrit.acceptance.rest.auth;
 
-import static com.google.common.truth.Truth.assertThat;
-
 import com.google.gerrit.acceptance.AbstractDaemonTest;
 import com.google.gerrit.acceptance.RestResponse;
 import com.google.gerrit.acceptance.RestSession;
@@ -34,6 +32,5 @@ public class AuthenticationCheckIT extends AbstractDaemonTest {
     RestSession anonymous = new RestSession(server, null);
     RestResponse r = anonymous.get("/auth-check");
     r.assertForbidden();
-    assertThat(r.getHeader("Content-Length")).isEqualTo("0");
   }
 }