Unable to update user password via REST

Also, please make sure neither the password or salt is ever exposed (i.e., we should never be exposing password or salt outside the Java API, much less a REST API) – i.e., setting a password via REST is okay, but retrieving a password (or salt) – even in a response – is not.