Remove WARN log lines for authentication failures

[hjacobs]

We should not spam the log with WARNINGS about client's missing permissions. I propose changing these log lines to "INFO" and delete some places (e.g. if no auth was given).

[hjacobs]

This needs to be changed in Swagger1st too, e.g. here: https://github.com/sarnowski/swagger1st/blob/master/src/io/sarnowski/swagger1st/util/security.clj#L14

[sarnowski]

I am not sure why we want to alter WARN to INFO here? According to our internal Logging guidelines, we have to log it either with WARNING (an error occured but we could handle it somehow) or not log it at all which could be a problem security wise (to detect anomalies).

[hjacobs]

I think it's discussible whether an "error occured" --- all spiders/crawlers around the world will attempt requests without authorization, i.e. it's no error, but usually behavior.

Logging as INFO still makes anomaly detection possible (also number of successful logins can be tracked).

I would strongly advise to remove all WARNings altogether, see Schlomo's presentation: https://twitter.com/s0enke/status/658627097162874880

WARNings suggest that something needs to be done, but in case of client errors there is nothing to be done.

[LappleApple]

Hey @dryewo, what are your plans here? Should we consider adding a "Help Wanted" label?