Allow to use JWT-proxy based Che workspace security for a particular user/workspace

[garagatyi]

Issue problem:
Theia doesn't adopt any kind of Auth framework, so Che platform team added a new Workspace security system. It is based on the addition of a JWT proxy sidecar in a workspace. All the ports that need to be secured a proxied by the sidecar which ensures that request is authenticated.
Since we want to be able to demo Theia in Che on OSIO and we don't want to make Theia insecure we need to adopt this JWT proxy.
Since this feature is disabled by default in Che we should consider using it only for workspaces of users that enabled the beta level of features or for Theia powered workspaces since the old Auth cannot be used for them at all.
Now Che supports enabling this feature in a feature toggle manner but only for the whole Che, not particular users/workspaces.
So what we need to consider:

1. Add an ability to enable JWT proxy auth for a particular user
2. Add JWT proxy auth to WS.NEXT workspaces by default OR only when option 1 is enabled
3. Enabling JWT proxy in upstream Che by default (we should think whether it is OK for a community/Rachel).
4. We should leverage OSIO unleash

We can decide what part of the suggested steps we should implement and what not. We can implement this idea partially to have some secure flow at the beginning and then being able to iterate with an ideal approach.

Related eclipse-che/che#10192, eclipse-che/che#10470

[garagatyi]

@ibuziuk @l0rd FYI

@l0rd how do you think can we allow or/and promote using Theia on OSIO without addressing this issue?

[garagatyi]

Thanks to David I figured out that it is also a case for the Theia stack that can be run on OSIO.
In both cases, if someone knows/guess URL of your Theia IDE in your workspace he can read your files, execute commands in the terminal embedded in Theia.