backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.

this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.