Spring Security should adopt JSpecify for Null safety as is done in Spring Framework

Related https://github.com/spring-projects/spring-framework/issues/28797

Notes on Changes

Prior to this work, passwords were sometimes treated as never null, but the reality is that they could be null (when clearCredentials was invoked). This inconsistency was also present in APIs (e.g. PasswordEncoder) that produced and consumed passwords. The semantic meaning of a null password is now clearly defined as no password for the user.

NOTE: This is done in the parent issue vs each module because things like nullability of passwords impacts more than just the core project where the API is defined.