Skip extensions for notFound and badRequest

[hueniverse]

Only execute onRequest and onPreResponse. This is a security issue as it can create a way to execute code that bypasses authentication because the built-in not found and bad request handlers do not support authentication (and cannot).

[hueniverse]

While this is a breaking change, it is breaking insecure behavior that is probably unexpected by most developers since they rarely test invalid paths or non-existing paths. It can affect implementations where a required authentication scheme is configured and therefore all other extension points after authentication assume the request has been properly authenticated.