This gives an opportunity for "gatekeeping" pages asynchronously.

@PageAuthorize
void onAuthorize(NavigationControl control) {
    myService.call(hasAccess -> {
        if(hasAccess) {
            // We have access, proceed with navigation.
            control.proceed();
        } else {
            // Interrupt navigation and redirect.
            control.interrupt();
            redirectPageTo.go();
        }
    }).hasAccess(modelId, userId);
}

…ion id).

Revert change to HttpSessionWrapper. Don't store SessionContainer in
session anymore. Keep map of SessionContainers instead.

CSRF protection on message bus servlets is enabled by property.
Enabling the property creates a CSRF token on the first POST
request to the server bus.

The token can be written to an HTML page as a JavaScript variable
with a filter, or else the client can acquire it from a challenge
from the server (a 403 response containing the token as a header).

There is also a filter that protects REST endpoints using the same token.
When an Errai REST caller finds the token in a global JavaScript variable,
it will set this as a header for all REST requests.

Errai REST callers will also retry after a challenge from the server
(403 + token in header).

Previously a @PreDestroy would be called but
@ApplicationScoped instance would remain in service.