Add Password Advice Support

[jzheaux]

This commit adds configuration options to .passwordManagement to allow for additional password management flows:

1. Show a default change password page and enforce configured password rules
2. Enforce configured password rules at login time; either request or require that the user change their password accordingly
3. Allow admin to force password changes

You can activate by publishing a UserDetailsPasswordManager bean and using the PasswordManagement DSL:

@Bean 
UserDetailsService users() {
    // ...
    return new InMemoryUserDetailsManager(...);
}

...
@Bean 
SecurityFilterChain securityFilters(HttpSecurity http) throws Exception {
    http
        // ...
        .passwordManagement(Customizer.withDefaults());

    return http.build();
}

Since these flows require a UserDetailsPasswordManager bean, and because .passwordManagement is a pre-existing DSL, they remain inactive until that bean is provided.

Some things to try:

• ChangePasswordAdvisor - the PR contains several sample implementations of this interface. They can be composed in DelegatingChangePasswordAdvisor to form a custom set of password requirements. By default, two advisors are active; the compromised password advisor and the password advice advisor checking for any existing advice
• ChangePasswordAdvice.Action - the existing advisors can be configured to have a different action, for example changing the failure action to Action.MUST_CHANGE instead of Action.SHOULD_CHANGE
• UserDetailsPasswordManager contains any advice tied to a user. By default, .passwordManagement only checks at login time and when a password changes. However, you can write a ChangePasswordAdviceRepository implementation that checks the UserDetailsPasswordManager on each request so that the user is advised mid-session if changes are needed.