[MERGE]  http routing: fix handle_exception logic and _authenticate exceptions

* Better separate JsonRequest and HttpRequest handling
for exceptions, so each type of request handles exception
the right way. Previously HttpRequest would supersede
JsonRequest in some cases and generate pure HTML
responses where a JSON result was expected.
* Also ensure that ir.http._authenticate() only raises
two possible exception types, hiding any other kind
of internal errors:
 - openerp.exceptions.AccessDenied
 - openerp.http.SessionExpiredException