Port "setHttpOnly on the TomcatContext" fix from commit 4d84933e to
2.0.x. Since `Session` details are now configured on the
`WebServerFactory` we can directly configure the context.

See gh-12580

Update `ServerProperties` to also call `setHttpOnly` on the
`TomcatContext`. It appears that this is required in addition to
using the `ServletContextInitializer` to setup `SessionCookieConfig`.

Closes gh-12580

* pr/13302:
  Remove an unnecessary @QuartzDataSource

Closes gh-13302

See gh-4965

Closes gh-13138

Closes gh-13239

* gh-13088:
  Fix test in "Truststore password if SSLstoreprovider present"
  Use empty trust-store password if SSL store provider present

See gh-13088

For Tomcat, if an SslStoreProvider is configured,
`SslStoreProviderUrlStreamHandlerFactory` stores the trust-store with an
empty password. Previously, if a password was supplied using the
ssl.trust-store-password property, that would be the password used to
load the trust-store and the connector would warn with "Password
verification failed" message.

Fixes gh-12688

Closes gh-13239

See gh-13031

This commit restores caching for the main read operation when the
SecurityContext does not expose a principal (i.e. guest access).

Closes gh-13238

This commit fixes endpoint extension discovery when the related endpoint
is sub-classed. Previously, a strict by type check was applied against
the `endpoint` attribute of `EndpointExtension`.

Rather than using a `Class` check, this commit extracts the id of an
endpoint and uses it to match its extension, if any.

Closes gh-13082

* pr/13288:
  Fix wrong reference in cast operation

Closes gh-13288

* pr/13286:
  Use more Tag constants

Closes gh-13286

* pr/13284:
  Fix a wrong issue reference

Closes gh-13284