clean up use of session in Access APIs for SPA

[stevenwinship]

What this PR does / why we need it: We need to decouple the Access API from this responsibility, so that it validates permissions for the authenticated user provided by the API authentication filter—regardless of the authentication mechanism used. In the SPA’s case, this is a bearer token.

Must still be backward compatible with JSF so session is still needed but localized

The original issue also has a bug in that the api called is not being sent as bearer token.

Which issue(s) this PR closes:https://github.com/IQSS/dataverse/issues/11740

• Closes #11740 This fix doesn't close this issue until the frontend adds the bearer token to the api call

Special notes for your reviewer: Removed a lot of the code referencing the session. Some code was not being utilized as downstream code doesn't behave as it did when this older code was written. I tried to consolidate the code accessing the session to a single method.

Suggestions on how to test this: Once the frontend is fixed the UI can be used to test. Until then a curl to the endpoint with the Bearer token can be used. I tested by adding a log statement to display the bearer token (BearerTokenAuthMechanism) from the previous call to pass to this api call.

Does this PR introduce a user interface change? If mockups are available, please link/include them here: no

Is there a release notes update needed for this change?: included

Additional documentation: