Configure whether password hash values should be returned via REST calls

Currently all methods returning UserTO instances include hashed password values.
Such values are pretty useless for any lawful usage, so it is safer to not return such values by default, and allow overriding this setting via global configuration.