This commit adds support for a same origin check that compares
Origin header to Host header. It also changes the default setting
from all origins allowed to only same origin allowed.

Issues: SPR-12697, SPR-12685
(cherry picked from commit 6062e155)

This commit introduces the following changes:
 - Requests without Origin header are not rejected anymore
 - Disable Iframe when allowedOrigins is not empty and not equals to *
 - The Iframe is not cached anymore in order to have a reliable origin check
 - allowedOrigins must not be null or empty
 - allowedOrigins format is now validated (should be * or start by http(s)://)

Issue: SPR-12660
(cherry picked from commit 9b3319b3)

Issues: SPR-12283

This commit introduces a new OriginHandshakeInterceptor. It filters
Origin header value against a list of allowed origins.

AbstractSockJsService as been modified to:
 - Reject CORS requests with forbidden origins
 - Disable transport types that does not support CORS when an origin
   check is required
 - Use the Origin request header value instead of "*" for
   Access-Control-Allow-Origin response header value
   (mandatory when  Access-Control-Allow-Credentials=true)
 - Return CORS header only if the request contains an Origin header

It is possible to configure easily this behavior thanks to JavaConfig API
WebSocketHandlerRegistration#addAllowedOrigins(String...) and
StompWebSocketEndpointRegistration#addAllowedOrigins(String...).
It is also possible to configure it using the websocket XML namespace.

Please notice that this commit does not change the default behavior:
cross origin requests are still enabled by default.

Issues: SPR-12226

This change adds a "Vary: Origin" HTTP response header for /info and
/iframe SockJS endpoints.
This is preventing proxies and browsers from caching a response and
reusing it for an invalid Origin.

Reference: https://groups.google.com/forum/#!topic/sockjs/svsLWRorSis

Issue: SPR-12310

This commit updates the default location of the SockJS' client library.
The previous location is being retired by the project maintainers.

The new default location is backed by several CDN providers:
* https://cdn.jsdelivr.net/sockjs/0.3.4/sockjs.min.js

See sockjs/sockjs-client#198

Issue: SPR-12254

Consistent use of BDDMockito rather than standard Mockito.

Issue: SPR-11919

Prior to this commit, the ServletResponseHttpHeaders.get method
would throw an NPE when used under Wildfly 8.0.0.Final and 8.1.0.Final.
This can be traced to WFLY-3474, which throws an NPE when calling
HttpServletResponse.getHeaders("foo") and that header has not
been defined prior to that.
This would cause NPE being thrown by AbstractSockJsService when
checking for CORS HTTP headers in the server HTTP response.

This commit surrounds that method call in AbstractSockJsService and
guards against this issue.

Issue: SPR-11919

After this change, AbstractSockJsService does not add CORS headers if
the response already contains an "Access-Control-Allow-Origin" header.
Essentially it backs off assuming CORS headers are handled centrally
e.g. through a Filter.

In order to support this, the ServletServerHttpResponse now returns an
instance of HttpHeaders that also provides access to headers already
present in the HttpServletResponse.

Issue: SPR-11443

 - Deleted empty AbstractWebSocketClientTests class.

 - AbstractServletHandlerMethodTests and AbstractHttpRequestTests are
   now actually declared as abstract.

 - The following classes are not abstract but currently have an
   "Abstract" prefix and therefore get ignored by the Gradle build.
   This commit renames each of these by deleting the "Abstract" prefix.

   - AbstractFlashMapManagerTests
   - AbstractMappingContentNegotiationStrategyTests
   - AbstractSockJsServiceTests
   - AbstractWebSocketHandlerRegistrationTests

Introduced SockJsSession interface and moved SockJsSessionFactory and SockJsServiceConfig to sockjs.transport; added initialize(SockJsServiceConfig) method to TransportHandler interface; extracted TransportHandlingSockJsService from DefaultSockJsService; moved sockjs.support.frame to sockjs.frame and extracted (Default)SockJsFrameFormat from SockJsFrame; moved SockJsHttpRequestHandler to sockjs.support; removed Jackson 1.x support

The SockJS path is now passed to the SockJsService handleRequest method
thus removing the need to guess it.

Issue: SPR-11058

Issue: SPR-10923

Issue: SPR-10939

Add a factory method in ServerHttpRequest for creating a
ServerHttpAsyncRequestControl.

See javadoc in SockJsService for details.

Also remove ReadOnlyMultiValueMap, CollectionUtils has a method for
that already.

The method returning query parameters now returns only query string
parameters as opposed to any Servlet request parameter.

This commit also adds a ReadOnlyMultiValueMap.

ServerHttpAsyncResponseControl wraps a ServetHttpRequest and -Response
pair and allows putting the processing of the request in async mode
so that the response remains open until explicitly closed, either from
the current or from another thread.

ServletServerHttpAsyncResponseControl provides a Serlvet-based
implementation.

A getCookies method is now available on ServerHttpRequest with one
ServletServerCookie implementation that wraps a Servlet cookie.

The SockJS service makes use of this to check for an existing session
cookie in the request.

After this change the top-level sockjs package contains the main types
for use in applications.

A SockJS message frame is an array of JSON-encoded messages and before
this change the use of the Jackson 2 library was hard-coded.

A Jackson 2 and Jackson 1.x implementations are provided and
automatically used if those libraries are present on the classpath.

Issue: SPR-10800

Minor polish to formatting and assertion messages.

Issue: SPR-10130