sling distribution leaks jcr sessions

The code for acquiring a ResourceResolver in sling distribution core leaks a JCR Session. In tests I was running 50,000 sessions were leaked.

The code in DistributionUtils.getResourceResolver() creates a Session, then passes it to the ResourceResolver.getServiceResolver in the map with the key "user.jcr.credentials". This means the Session passed in is ignored (the correct key would have been "user.jcr.session"), and a new session is created for the service user configured - resulting in a new session. When the Resource Resolver is cleaned up the associated session is not the same as the abandoned session, meaning the original session (created on line number 89 of DistributionUtils) is never closed.

Please see attached patch for a possible solution which specifies the session in the ResourceResolverFactory correctly. I have tested this locally and it appears to work correctly, however it does change the behaviour because a different user is not used (the caller). I did not run any automated tests.

Also please be aware that it appears that the method "process" of the class ImportingDistributionPackageProcessor appears to never close the ResourceResolver acquired from the DistributionUtils.getResourceResolver() utility, please have a look.