Add a service layer for password validators.

The password login flow would be more flexible if the back-end validators were more dynamically derived at runtime, making the configuration both reloadable and potentially avoiding the need to duplicate the flow in more exotic scenarios with multiple validators. This should open up the ability to chain validators without using JAAS also.