Remove JCR Session as request attribte

Currently the SlingAuthenticator sets the following three request attributes in the Authenticator.handleSecurity method besides the attributes required by the OSGi Http Service spec:

javax.jcr.Session – the primary session underlying the resource resolver
$$org.apache.sling.commons.auth.impl.SlingAuthenticatorResourceResolver$$ – internal wrapper to help logout the resource resolver
org.apache.sling.commons.auth.ResourceResolver – the request's resource resolver

The Session is here for backwards compatibility for a looooong time now. The official way to get at a session in requests has long been to adapt the request's resource resolver to a Session. Keeping the Session as a request attribute just makes cleaning up at the end more complicated.

The $$org.apache.sling.commons.auth.impl.SlingAuthenticatorResourceResolver$$ request attribute has been introduce with the commons auth module but before the ResourceResolver.close() method to cleanup the resource resolver and session after request processing. This request attribute is not needed any longer thanks to the ResourceResolver.close() method which allows for propery cleanup.

This the $$org.apache.sling.commons.auth.impl.SlingAuthenticatorResourceResolver$$ and javax.jcr.Session request attributes should not be set any longer.

As kind of a replacement, JavaDoc of the Authenticator interface and particularly the Authenticator.handleSecurity method should be enhanced to list the request attributes be set and to request from the caller to call the close() method on the resource resovler at then end of request processing.