You can do like Spring Security Core
plugin does, provide the User
class as a template, so your application that use this plugin can choose between creating his own class or installing your default User class.
The plugin user template is here, and the script responsible to create this in the application is here.
You will need also a config value to know the class to use, and use it dynamic.
P.S: there are good security plugins like Shiro and Spring Security, maybe it's easier to check them instead of create your own.