[headless] Let websocket upgrade requests pass in AccessManager

This is because JavaScript in browsers apparently can not add Authentication
headers to websocket requests, so we use a dedicated authentication message there.

In Javalin 3, the AccessManager also handles websocket requests.
We need to let those pass to support JavaScript.
1 job for javalin-3.5 in 9 minutes and 49 seconds (queued for 1 minute and 57 seconds)
Status Job ID Name Coverage
passed #4286