implement SecurityContextRepository to synchronize user service state with security state

[joshlong]

Problem is this: currently a principal is stored in the session and cached. to avoid relying on stale data, we simply use the current principal to lookup the ID and then refetch the user using the service. this creates a double penalty: one hit for the initial authentication, and N more hits each time we lookup the system user. Instead:

implement SecurityContextRepository. The SecurityContextRepository could - instead of storing the User in session store the User ID in session and then on each request lookup the User from the service tier and place that in the SecurityContext. The service tier, in turn, could employ @Cacheable to cache requests.