SecurityFix: enforce HTTP password checking on gitBasicAuth

When using auth.gitBasicAuth option in gerrit.config, the git
over HTTP authentication was using *ONLY* the Gerrit realm
for validating the user's credentials.

However only the LDAP realm did a real full checking of the
user's password, whilst with other realms (i.e. HTTP and HTTP_LDAP)
there was only a check on the existence of the user's account.

This created a potential security hole when a non-LDAP auth realm
was used in conjunction with gitBasicAuth.

The fix is to check, for non-LDAP authentication realms, the
HTTP Password in the Gerrit external access ids and deny
unauthenticated access if password do not match or has not
been generated in the user's settings HTTP tab.

Change-Id: I620eb780e6d77b45f6bc8a3af42f8b7b1caf821d

gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java

@@ -33,7 +33,7 @@ public class GerritConfig implements Cloneable {
   protected String httpPasswordUrl;
   protected String reportBugUrl;
   protected String reportBugText;
-  protected boolean gitBasicAuth;
+  protected boolean httpPasswordSettingsEnabled = true;
 
   protected GitwebConfig gitweb;
   protected boolean useContributorAgreements;
@@ -112,12 +112,12 @@ public class GerritConfig implements Cloneable {
     reportBugText = t;
   }
 
-  public boolean isGitBasicAuth() {
-    return gitBasicAuth;
+  public boolean isHttpPasswordSettingsEnabled() {
+    return httpPasswordSettingsEnabled;
   }
 
-  public void setGitBasicAuth(boolean gba) {
-    gitBasicAuth = gba;
+  public void setHttpPasswordSettingsEnabled(boolean httpPasswordSettingsEnabled) {
+    this.httpPasswordSettingsEnabled = httpPasswordSettingsEnabled;
   }
 
   public String getEditFullNameUrl() {