Refactor authentication management

* AuthenticationProvider-agnostic User object allows access to common
  user attributes: userId, loginId, authProvider, etc.
* Auto-create UserProfiles for external accounts
* Use userId (instead of loginId) for permission checks
* Use custom implementation for Pac4j integration
  (remove org.pac4j.spring-security-pac4j)
* Move authentication logic from controller to service layer
* Remove user room role handling
* Rename targetDomainType 'session' to 'room'