CAS: add an option to forbid host-based matching
See #2321 (closed) for context
Since 2.0.10 we allow administrators to have different access rules for http://proxy.example.com/app1 and http://proxy.example.com/app2
However, if only http://proxy.example.com/app1 is defined and we try to login to http://proxy.example.com/app3, access is allowed and matches http://proxy.example.com/app1.
This was meant for compatibility with the old behavior, at the expense of security. We should add an option to let administrators chose the secure behavior.