SecurityFactory<Credential> used in API is too strict

In several places in the API, `SecurityFactory<Credential>` is used, but its bound is too strict, disallowing passing in specific instances, e.g. `SecurityFactory<GSSKerberosCredential>`.
These should all be replaced with `SecurityFactory<? extends Credential>`.

An example of code that doesn't work:

SecurityFactory<GSSKerberosCredential> ksf = ...;
CredentialSource cs = CredentialSource.fromSecurityFactory(ksf); // Compiler error: required SecurityFactory<Credential> provided SecurityFactory<GSSCredential>

Similar issue in the following method:

MechanismConfiguration.setServerCredential(SecurityFactory<Credential> credentialFactory)