Add realm-management role for api access

[msiegenthaler]

I wasn't completely happy with the approach from #10 (this PR replaces #10). While it works fine it has the danger that if the admin deletes the realm role the API would be unprotected again. This would be unexpected to the admin (at least to me).

So here's a new take:

• add a realm-management client role for api usage. Makes more sense that a realm-level role anyway
• protect all api access with that role centrally in the Authentication class (same location where the client id is checked as well)
• provide a toggle to turn that behaviour off. By default it would be on. By turning it off you'd still be able to do everything the same way as before (even no-auth)
• add a db migration that turns the protection off on existing configurations. That way everything stays as it was before.

The implementation isn't fully done yet, e.g. I've not yet tested the config UI or added tests (or fixed integration tests).

I like this approach better as it is less intrusive and it's harder for the admin to accidentally compromise security. What do you think?

[Captain-P-Goldfish]

I actually prefer #10. Adding this would be pretty much the same as what is already there. The only difference is that it is a client-role that is required now instead of a realm role. I can't see the actual benefit here. Besides the commit is incomplete see scrrenshot:

[Captain-P-Goldfish]

I am going to close this one. I added some security considerations into the README.MD file