Package org.apache.openejb.core.security

This security service chooses a UUID as its token as this can be serialized to clients, is mostly secure, and can be deserialized in a client vm without addition openejb-core classes.

Spec 16.4.1: must support CallerPrincipalCallback, GroupPrincipalCallback, PasswordValidationCallback.