Finally support lastAttemptedUrl properly on expired authentication

Correction of the permit function and adding fallback for
getLastAttemptedUrl behavior along with removal of the
clearLastAttemptedUrl method. Worked through all validations in an
application and finally proved out how this should behave to support
re-authentication processing and not lose the target URL as hops happen.