initialization to anon service. Fixed error in initialization.

XNAT-4424 Fixed timing of alias token expiration by doing everything through Hibernate instead of direct database queries.

Jiggered the app info bean to carry path info instead of injecting
directly into filter bean. Used this to create open URL matchers to
test if users are permitted to access particular site config values.
Added test for missing properties to return 404 when values are
requested for non-existent properties.

XNAT-4356 XNAT-4477 Added expiration time to alias token. Fixed logic in user enabling and verifying routines.

XNAT-4429,XNAT-4474,XNAT-4470 Fixed changing of passwords for expired passwords and unsalted passwords. Made UI look as expected in forgot password case as well.

XNAT-4470 Fixes to ExpiredPasswordFilter and change password page. Got forgot password working again.

all instances of putting guest user in auth principal. Modified filters
to consider null and guest as anon.

Fixed XNAT-4409 by adding a check for a par parameter on login. If a PAR is present and valid, then grant the user that just logged in the appropriate project permissions.

XNAT-4387 Made auth methods fully customizable via plugins. If none are specified, it will default to db authentication, but if any are specified, only the specified ones will show up. I also added support for an order property to control the order of the methods in the dropdown, as well as the order in which they are checked when users attempt authentication. I see this plugin-based way of configuring providers remaining as an alternative to AdminUI configuration once that is implemented.

XNAT-2429 XNAT-4201 XNAT-4423 Massive refactoring of libraries to get rid of split into root and application contexts. Moved lots of initialization from autowired fields to autowired constructors. Added method to create DICOM SCP instances without specifying ID since ID is now generated and provided. Fixed broken login on su operations.

XNAT-4327 Removed additional code that set CSRF token. All token sets should now be done only in session event publisher at the point when the session is actually created.

XNAT-4405 Added WWW-Authenticate to headers when non-interactive agent calls data URI. This lets non-preemptive basic auth work properly.

context path should match.

Added preference for how often to check if locked out users should be let back in. Made how to specify time intervals consistent within the User Logins and Session Controls section by having Failed Logins Lockout Duration and User Inactivity Lockout both be entered in Intervals.

Made the alias token timeout checking schedule configurable by the user. Made the inactivity lockout schedule actually take effect without a Tomcat restart. Readded line to SiteConfigPreferenceEvent that got left out of previous commit which was preventing events from working.

Modified alias token expiration so the frequency of checking for expiration would depend on the length before timeout. Previously, it would only check every hour, even if timeout was set to 10 minutes. Currently the frequency of checking doesn't change until you restart Tomcat, but I will have it take effect immediately once I create events we can trigger when changing preferences.

XNAT-4913 Added ArchiveServlet back in, fixed a couple issues in action classes, updated applet classes and VM.

Converted security to mostly use Java config to allow injection of preferences during initialization. Fixed scheduler issues.

Updated init check to check for whether the siteUrl is initialized. If it's not, system is assumed to be uninitialized.

Fixed project access requests. Fixed bug where unverified users were unable to log in even though require verification was set to false.

unencrypted passwords.