At least some Authority implementations should be JsonSerializable if not JsonUnserilazable.

It would be nice if we could replace RequestContext::exportSession and RequestContext::importScopedSession mechanism.

The SimpleAuthority and AllAuthority classes are trivially JsonSerializable and unserializable. For WebRequestAuthority we probably don't want it to become JsonSerializable cause there's no good way to unserialize it back. Perhaps we could create a SerializableAuthority interface and add an 'export' or 'snapshot', or 'asSerializable' method to Authority to do the conversion.

For WebRequestAuthority, it will create a simpleAuthority with the same UserIdentity and same permissions, block status (?), web request details (?) and return it. For others it will simply return $this.