SecurityProviderRegistration doesn't fill the composite context

when aggregating security configurations of the same type in SecurityProviderRegistration the context hold by CompositeConfiguration remains empty (in contrast to the corresponding call in SecurityProviderImpl). This particularly affects authorization where it is crucial to identify that a given item is defined by the authorization model and thus is a different type of node/property.

To fix that we might consider changing the way SecurityProviderRegistration populates the aggregates or (if that is not possible) fix the CompositeConfiguration. In general the issue was introduced when removing the final flag from the various Composite*Configuration}}s together with a optimization in {{CompositeConfiguration.