Correct REST sessions and OAuth2 tokens behaviour

[dtaimanov]

Tasks:

• [ ] Reimplement jmix-sessions add-on according to specs and Spring Session.
• [ ] Make sessions registered in SessionRegistry and displayed on UserSessions view.
• [ ] Investigate and fix "/revoke" endpoint behaviour if needed.
• [ ] Investigate and fix session expiration behaviour (invalidate session on UserSession view): HTTP codes, token behaviour
  • [ ] Check the same for 1.x
• [ ] Check which behaviour should be corrected for 1.x too (see 12 internal documentation).
• [ ] Fix tests (see [jmix-framework/jmix#3915] comments)