Allow programmatically set permission and veto predicates

[ujibang]

Brief overview

We want to extend defining security policy rules programmatically by allowing both inclusive and exclusive security policies through veto and permission predicates.

Currently RESTHeart allows to define a set of predicates via PluginRegistry.getGlobalSecurityPredicates() that must all resolve to true to allow the request. Under the woods, the global security predicates are enforced by the vetoer authorizer GlobalPredicatesVetoer.

For clarity, we recall that an Authorizer can be either a VETOER or an ALLOWER. A request is allowed when no VETOER denies it and any ALLOWER allows it.

We want to extend and refactor this feature as follows:

• move the current logic from PluginRegistry to a Provider in the package org.restheart.security of the core module
• rename global security predicates to "veto predicates" and rename the vetoer as VetoPredicatesAuthorizer
• simmetrically add permission predicates and the corresponding allower authorizer PermissionPredicatesAuthorizer

Rationale

By extending the definition of security policy rules programmatically it will be possibile to ship a secure service with own security policy avoiding the need to configure the ACL.

As an example, the RoleService mapped to /roles/{userid} can be secured and allowed to be requested only if the path parameter userid match the authenticated user id. Currently this is not secured to avoid the need to configure the ACL and the authorization is checked in the service code.

Detailed documentation

TBD