Principal and other attributes need some flexibility with Serialization

[exabrial]

I'm going to post a PR for this but here's the short story. Redis counts as "data at rest" in a lot of organizations and must be encrypted. We are using a SessionAttributesTranscoder that encrypts the byte[] with AES-GCM, but to our surprise, the passwords were stored in plaintext in Redis.

My proposal is to have a serialization strategy for the Principal and request attributes.

This would also allow people to write custom serializers to fix #427