Reflected XSS in import-keystore-certificate.jsp via the passphrase.

Reported by Florian Nivette of Sysdream.

The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in
the summary view at muc-service-summary.jsp

This was reported by Florian Nivette of Sysdream.

Fixed by escaping on output within muc-service-summary.jsp.

In addition, domain validation was added on input.

The subdomain parameter in external-components-settings.jsp was reflected
in both cases in the deletion URI as an unencoded parameter.

Originally discovered by Simon Waters, then this case found by Florian
Nivette of Sysdream.

Fix is twofold:

* The parameter is now encoded on output, the deletion URI is now set using
the JSP tags instead of string construction.
* The subdomain parameter is validated on input, making it difficult to inject
script elements etc.

OF-929 prevent ghosts by removing ioSession check

Since the release of Openfire 3.9.3, users have reported problems with
"ghost" sessions left on the server. After reviewing the changes that
went into the 3.9.3 release, it seemed the fix for OF-464 may have had
some side effect causing this.

Since Igniterealtime's Openfire was reproducing OF-829, I did a test
whereby the functional changes of Igniterealtime/Openfire#ad08cae9
were reverted.  After 36 hours, there were no ghosts!

This will likely necessitate reopening OF-464.

OF-1089: Send IQ result only after messages

OF-1107 Option to not show email, added readme and changelog

Prevent occasional failure of CheckChainTrustedTest

There's one unit test that occasionally fails. This occurs as a result of an unintended
collision. As part of the test, many certificates are generated and stored in keystores.
The alias used for the entry was based on the hashcode of the public ke of the certificate.
The value range of those hashcodes is fairly small (it has only a couple of digits), which
leads to occasional collisions, causing the test to fail.

This commit replaces the hashcode-based alias with the Base64-encoded public key information.
This ensures that aliases for distinct keys are also distinct, while ensuring that the
aliases for equal keys are equal.

OF-1097: jabber:iq:auth / XEP-0078 disabled by default

AuthProvider has quite some complexity that exists solely for XEP-0078.
This commit removes most of that, by replacing the generic checks for
digest and plain support with a non-generic implementation, that will
work for any auth provider that supports password retrieval.

Non-SASL authentication was obsoleted a long time ago. Openfire should not
enable it by default.

This commit moves the related implementation from the core Openfire code
into a plugin.

OF-1105: Plugin servlet mapping should be case insensitive.

OF-1092 Various fixes

OF-1100: Allow for subjectAltNames of type 'DNS'

The provider didn't register all of the supported SASL mechanisms. For good measure,
the version number of the provider was increased as well.

Although it evaluates as a boolean, the POLICY_NOANONYMOUS property value must
be a String value (as defined by javax.security.sasl.Sasl#POLICY_NOANONYMOUS)

The method signature defines that the 'props' argument is allowed to be null. Our
implementation should not throw a nullpointerexception.

Should use hypens instead of underscore.

Although I'd rather have this case sensitive, that would break backwards compatiblity.
This way, paths with capital letters can be used at least.

This commit formalizes the parsing of subjectAltName certificate extensions.

This commit adds support for the id-on-dnsSRV otherName, as well as
the UniformResourceIdentifier generalName, which both could also be
used for XMPP.

In addition to subjectAltNames of type otherName with an ASN.1 Object Identifier of
"id-on-xmppAddr", subjectAltNames of type DNS should also be evaluated when processing
identities from a certificate.

OF-1092: Pluggable SASL mechanism

A bit of rework of the SASL implementation. Pushed implementations to Java
Provider where this was not done before. When SASL fails, it is useful to be
able to add some context to the failure. To do this,
javax.security.sasl.SaslException is subclassed.

Outcasts should not be allowed to register with room.

Update Chinese Simplified translation (OF-1088)

OF-1095: Improve plugin (un)loading related logging

OF-1098: Anonymous user login should be disabled by default.

This commit adds more structure to the logging done when loading and unloading
plugins.

The plugin manager was adapted to create log statements for loading and unloading
each plugin. It also logs to std-out for log statements of priority INFO and above.
This mimics what some (but not all) plugins were doing internally.

There's an added log statement that informs that the loading of the entire set of
plugins has finished (which helps users to determine when Openfire is ready to be
used).

Corresponding log statements from individual plugins have been removed.

OF-1094: Allow reset of UserProvider

Some user providers might not provide a creation date for each user. There's no
reason that the Admin Console should not be able to cope with that.