Remove reliance on Spring Security API outside of security package

In AdminApiImpl.createTenantRegistration, we're directly calling Spring Security APIs. This creates a tight coupling to Spring Security, which goes against our goal of keeping things loosely coupled.

Also, please check the rest of the codebase to see if there are other spots where Spring Security is being used directly, and refactor them accordingly.
