fix: cors filter should not store in local variable allowed origins

[yurem]

CorsFilter in doFilter method get allowed origins based on request and set them in AbstractCorsFilter.allowedOrigins before calling AbstractCorsFilter.doFilter. This is bad idea to pass them in such way because WebFilter is defined with asyncSupported = true. Hence second request can override this variable value. We can use:

request.setAttribute("clientAllowedOrigins", clientAllowedOrigins);

to pass client allowed origins to AbstractCorsFilter.doFilter

[yurem]

@mzico It's ready for QA

[mzico]

@yurem : In 4.5 and in 4.3.1.sp1, server responding with 200 even when request is not correct ( oxAuth.log showing error ).

I think we shouldn't allow server to respond with 200 and empty body. Better to make server response with 401 ( which is working in 4.4.2.sp1.

Can we make 4.5 and 4.3.1 same as 4.4.2.sp1?

Here is a GIF attached below to describe the situation:

[yurem]

According to stack trace it's not CORS filter issue It's related to Authentication Filter.