Try to adapt EndpointHandlerMapping so Actuator endpoints don't download f.txt

See #4220 and the RFD vulnerability in Spring  (patched in 4.2.3 and 4.1.9). We really don't need to be able to handle requests for paths like `/trace.bat` (or `/trace.<anything>`) so we don't need the default handler mapping behaviour for extensions (which now results in the confusing `f.txt` download for unknown or non-whitelisted extensions).
