Allow POST requests from public user for specific URLs

[knabar]

With the introduction of the table slice call in #564, the option to use POST requests (in addition to GET) was included to allow for large number of rows to be fetched in one request. GET requests are limited by the maximum length of URIs.

An issue not previously considered is when omero.web.public.enabled is enabled in combination with omero.web.public.get_only. In that case there is no way to use POST for the table slice call. All POST requests would have to be allowed.

This PR proposes a new setting to selectively allow POST for some URLs, similar to how a set of URLs can be enabled for public mode.

Example:

omero config set omero.web.public.url_filter_post '^/webgateway/table/\d+/slice/'

This may not be the best or simplest approach, any thoughts or ideas on how else we could approach this? @will-moore @sbesson @jburel

[sbesson]

To demonstrate the original issue, the following requests can be executed after authenticating into OMERO.web using the Console tab of the Developer tools. They should return the first four cells (2 rows, 2 columns) of a table:

• using the GET request

$.get("/webgateway/table/2060/slice/?rows=0,1&columns=0,1", rsp=>console.log(rsp))

• or a POST request

$.post("/webgateway/table/2060/slice/", {rows: "0,1", columns: "0,1"}, rsp=>console.log(rsp))

Executing the same request against a table in a public OMERO.web instance deployed with the default omero.web.public.get_only configuration e.g. https://idr.openmicroscopy.org/webclient/?experimenter=-1 currently succeeds when using GET but fail with a 403 error when using POST.

The ability to slice the table using POST request is critical when slicing large table using large numbers of rows/columns. While GET requests are typically restricted by the maximum URL length, the body sent via a POST request has a larger upper limit. With this code, the expectation is to support the GET and POST requests to the /webgateway/table/<id>/slice endpoint either authenticated or anonymously (i.e. using the public user).