OPENIDM-4217 - Align with CUI-111 and 21dcdac9 to properly use managed/user authzRoles. Still blocked by OPENIDM-4246

CR-7438 - OPENIDM-3344 - Separate different role types into different fields for managed/user

IDME-340 (CR-5999) Add "static user" auth module to authenticate anonymous user against module config to avoid repo read for self-registration use-cases.

OPENIDM-1953 - Disabling MANAGED_USER auth module for several samples, in favor of PASSTHROUGH to system/ldap/account Just toggled a boolean config value; no review necessary. Rationale for change: Previously, we attempted to authenticate using MANAGED_USER first, followed by a few others and then finally PASSTHROUGH. The reason it was first created it this way was so that if there was a fully- populated managed/user entry, it would not need to query the remote system. This works fine if you are syncing passwords between managed/user and the remote backend, but as mentioned in OPENIDM-1953, that isn't always the case. To compound this problem, there is also the new function around role calculation; this is per-auth module, and so if you want to calculate roles for a given user you would need to do it for both MANAGED_USER and PASSTHROUGH, if they were both enabled. This redundancy is annoying and a likely source of confusion. So, this change is to just disable the MANAGED_USER auth module, and always use the PASSTHROUGH config.

CR-3654 - OPENIDM-1896 - Renaming passthroughAuthnPopulateContext.js to populateAsManagedUser.js

OPENIDM-1708 (CR-3633) Support reauth for any auth module configured in authentication.json. * AuthenticationService now handles requests on /authentication, replaciing AuthFilter which was not a filter, and did not fully handle reauth. * Authenticators are used from both JASPI auth modules and AuthenticationService to provide the authentication--either with Http headers in the case of the auth modules, or from the authcid in the HttpContext and the reauth header in the case of reauthentication. * AuthenticationService now satisfies the AuthenticationConfig service for the purposes of OSGiAuthFilterBuilder's access to the config to build the JASPI CAF. * The duplicative managed/user config at the top of the sample authentication.json files are now removed, thus satisfying OPENIDM-1781.

OPENIDM-1762 (CR-3586) Additional decoupling of auth module role calculation and security context population from auth module validation code. Notably: * factor out basic auth code to allow PassthroughModule to support both basic auth and X-OpenIDM- header auth. * remove IWAPassthroughModule in favor of using auth module configuration to control order of execution * separate client cert auth into its own module, supporting an list of "allowedAuthenticationIdPatterns" to compare against the subject DN * remove static dependency on OSGIAuthnFilterBuilder for injection of OSGi artifacts - improves testability

OPENIDM-1735 / OPENIDM-1134 (CR-3503) Provide additional detail on sync failures from managed object CRUD operations. Provide example compensation script to compensate for sync failures.

CF-2495 - CAF-93/CAF-103 - Session integration with OpenAM via common session module

OPENIDM-1687 (CR-3245) Update other auth module of 'userId' to 'authenticationId' for consistency.

CR-3215 - OPENIDM-1683 - Pass-through authentication support for enduser ui