The "users" entry is now a dictionary mapping user names to
passwords and permissions. In order to allow for wildcards,
there is a new type of password, the wildcard password, and
an extra array called "fallback-users".
The field "allow-anonymous" no longer exists, this is now
the default behaviour. The field "allow-subgroups" has been
renamed to "auto-subgroups".
We provide backwards compatibility for group definition files,
but not for the config.json file, where the old "admin" array
is simply ignored.
If the WHIP session is not authenticated, then the only thing
preventing an attacker from DELETEing the session is the session
URL. Since client ids are known, obfuscate the id before using
it in the session URL.
