Fix bug with non-HTTP Shib sessions being valid for HTTP sessions

Previously, the PreauthUserDetailsProvider was only checking that a valid Shib session existed by looking for the regular or HTTP Shib session header. This check is now strengthened by validating the correct header exists for the correct instance.

Also renamed and changed some things in the Preauth test--it's now called HTTPPreauthUserDetailsProviderTest to reflect the fact that it's only testing the HTTP version of Preauth. Along those same lines, the test user now uses the HTTP headers and has been renamed to testuser_http.json.

Please review: @ahoffmann

src/main/edu/wisc/doit/FederatedPreauthUserDetailsProvider.php

@@ -28,8 +28,8 @@ class FederatedPreauthUserDetailsProvider implements UserDetailsProvider
     public function loadUser()
     {
         // Return null if no Shib session is found
-        if (empty(getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID)) &&
-            empty(getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID_HTTP))) {
+        if ($this->httpHeaders && !getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID_HTTP) ||
+            !$this->httpHeaders && !getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID)) {
             return null;
         }