OF-3258: Guard against user enumeration in ScramSha1SaslServer
This replaces the use of randomly generated salts for unknown users with a deterministic but cryptographically unpredictable value derived from the username and a server-side secret.
Prior to this change, a non-deterministic salt was used, which can be used (by retrieving it more than once) to determine if a user exists.
OF-3258 (code review): Guard against misbehaving AuthProviders
When an AuthProvider cannot return a password, it should throw one of the exceptions defined in the contract, rather than return a null password.
This change guards against misbehaving providers that return null, by interpreting null in the same way as a non-existent user and/or missing support for password retrieval.
OF-3258 (code review): Fake salts should be similar in size to real ones
The usage of fake salts is to avoid attackers to determine if a username exists. For this to work, the salts need to be indistinguishable from real ones. Using the same size for both helps.
OF-3257/OF-3258: Improve one-time initialization of SERVER_SECRET_NONEXISTENT_USERS
The previous method for one-time initialization of the SERVER_SECRET_NONEXISTENT_USERS property (which depended on a static initializer block) proved to be fragile.
In this commit, initialization happens in a getter that should be used instead of directly accessing the property.
