Add Support for Explicitly Saving SecurityContext

[rwinch]

We should remove SecurityContextPersistenceFilter in favor of explicit saves to the SecurityContextRepository. This will provide lots of benefits:

• There will be no confusion when the SecurityContext should be saved.
  • Currently, the code must diff the SecurityContext before and after to determine if it needs to be saved.
    • This requires loading the SecurityContext up front to see what the current value is which means force reads of the HttpSession
    • This requires complicated diff logic
  • Currently we must do our best to determine when a response is committed and then determine if the SecurityContext should be saved or not before the user gets the response back so that if another request is made the SecurityContext is present if it should be and so that the session cookie can be written to the response (if necessary)
• Different types of authentication can save (or not save) the SecurityContext differently. If there are multiple types of authentication in a single application it is often desirable to only persist the SecurityContext when specific types of authentication occur. For example, if form login and http basic are both enabled, it may be desirable to only persist form login and require basic authentication on every request.
• This would align with how WebFlux works

Related issues:

• HttpSessionSecurityContextRepository saves with original response #10947
• Add SecurityContextHolderFilter #9635
• Add SecurityContextRepository to all Authentication Filters #10953