When using auth.gitBasicAuth option in gerrit.config, the git
over HTTP authentication was using *ONLY* the Gerrit realm
for validating the user's credentials.
However only the LDAP realm did a real full checking of the
user's password, whilst with other realms (i.e. HTTP and HTTP_LDAP)
there was only a check on the existence of the user's account.
This created a potential security hole when a non-LDAP auth realm
was used in conjunction with gitBasicAuth.
The fix is to check, for non-LDAP authentication realms, the
HTTP Password in the Gerrit external access ids and deny
unauthenticated access if password do not match or has not
been generated in the user's settings HTTP tab.
Change-Id: I620eb780e6d77b45f6bc8a3af42f8b7b1caf821d
b281cd402b