Restore session auth context persistence after Shiro 2.2 upgrade

[thll]

SAML Single Logout stopped terminating Graylog sessions after the recent Shiro 2.1.0 → 2.2.0 upgrade: when the IdP logged a user out, their Graylog session stayed alive. Persisted sessions were missing the auth_context attribute that carries the IdP SessionIndex, so SLO couldn't match anything to terminate.

Shiro 2.2.0 added a session-fixation defense that deletes a session between authenticate() and createSubject(). This caused our session attributes that were written by an AuthenticationListener to get lost.

This PR addresses that by replacing the AuthenticationListener-based persistence of SessionAuthContext with an override of Shiro's onSuccessfulLogin hook on DefaultSecurityManager. The hook fires after createSubject(), so the attribute is written to the post-auth session that actually gets persisted. The old listener is removed.

After completing this PR, I've noticed that this is a known regression and that an upstream fix will be available with the next release. I still think that we should merge this PR because it makes the SessionAuthContext handling more robust and also more obvious.

/nocl

[dennisoelkers]

Looks good and fixes the issue! Thank you!