The ReST interface doesn't encrypt or hash the password you supply via POST when creating a user. The WebUI obviously does this for you, and I can't imagine why you wouldn't want the REST API to do it for you as well so here's a patch. Even respects the salt attribute to preserve the ability to use the old crappy uppercase MD5 algorithm.
To accomplish this I'm using UserManager.saveUser(String name, User details) rather than UserManager.save(OnmsUser user). I suppose the same could be accomplished by modifying UserManager.save(OnmsUser user) but I didn't want to mess with that in case something else depended on that functionality.
Includes the appropriate change to the unit test.