remove localhost bypass for API checks

[vladak]

The time has come (AI assisted vulnerability research, zero trust, and all that) to remove the capability to allow API calls to the sensitive endpoints solely on the basis of the request coming from localhost.

This means whoever uses the Python tooling or running the indexer with the -U option will have to configure and supply bearer token from now on. For the former it means using the pre-existing -H option to supply the Authorization HTTP header, for the latter using either the pre-existing --token option or setting the indexerAuthenticationToken option in the read-only configuration. Speaking of which, the read-only configuration has to be used to configure the set of allowed tokens anyway. Combining these two the read-only configuration file contents can look like so:

<?xml version="1.0" encoding="UTF-8"?>
<java version="11.0.8" class="java.beans.XMLDecoder">
    <object class="org.opengrok.indexer.configuration.Configuration">
        <void property="authenticationTokens">
            <void method="add">
                <string>INSERT_YOUR_BEARER_TOKEN_HERE</string>
            </void>
        </void>
        <void property="indexerAuthenticationToken">
            <string>INSERT_YOUR_BEARER_TOKEN_HERE</string>
        </void>
    </object>
</java>

In the Docker image this is done automatically. There, any pre-existing bearer tokens will stop working as they will be replaced by the automatically generated ones. Due to the nature of the image I don't consider this scenario to be ever used.

While there, I did a cleanup of the /file endpoints handling.

Will update opengrok-sync configuration documentation, HTTP headers documentation with the newly added headers_file directive and the Apiary blueprint once this is in.