Fix #430 and pave the path for #427 This PR adds two interfaces:

• ObjectIOFactory
• ObjectIOStrategy

The ObjectIOFactory just creates instances of the ObjectIOStrategy. The strategy is invoked when writing/reading anything objects from the the serialized stream that are not the session attributes.

This PR is implemented in a way so the current behavior is backwards compatible with older versions.

Why is this important: In the current codebase, ordinary ObjectInputStream/ObjectOutputStream are used to serialize various objects. This PR allows you to customize this process.

For full mitigation, both a SessionAttributesTranscoder and an ObjectIOStrategy (and their two factories) that perform serialization class filtering should be implemented.

In our case, we implemented a strategy that uses FST (https://github.com/fstpackage/fst), employs compression(https://github.com/lz4/lz4), encryption / signing / authentication ((https://github.com/martinwithaar/Encryptor4j), and Serialization class filtering (https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html). As discussed in #427 this covers an attack vector in which bytecode injection is possible if other checks on the server fail.

We implemented these interfaces and they can be used like this in a context.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
	<Manager
		className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
		memcachedNodes="${redis.url}"
		sticky="true"
		sessionBackupAsync="true"
		storageKeyPrefix="static:app-name"
		transcoderFactoryClass="com.xxx.sessionmanagement.fst.FstTranscoderFactory"
		objectIOFactoryClassName="com.xxx.sessionmanagement.fst.FstObjectIOFactory"
		requestUriIgnorePattern="(?:^.*\/javax\.faces\.resource\/.*$)|(?:^.*\.(?:ico|png|gif|jpg|css|js)$)|(?:^.*\/(?:404|500).jsf)" />
</Context>