Now that we're in the RC phase and close to release, we only want to
pick up maintenance releases of our managed dependencies. This commit
updates bomr's config accordingly.

Closes gh-18626

Closes gh-18525

Previously, the documentation did not describe how to combine
multiple security components when one component's
WebSecurityConfigurerAdapter or SecurityWebFilterChain would cause
the other components' beans of the same type to back off.

This commit adds a note that such cases should be handled by the user
defining their own WebSecurityConfigurerAdapter or
SecurityWebFilterChain that configures the use of all of the
components as required.

Closes gh-18507

This commit renames the `server.jetty.idle-timeout` property to
`server.jetty.thread-idle-timeout`, since there are other timeout
properties that are not tied to the threadpool configuration (e.g. the
connection idle timeout).

We might regroup thread-related properties in a dedicated group in the
future, see gh-18620.

Fixes gh-18615

* gh-18619:
  Remove accidental JavaVersion.current() call in BootRun

Closes gh-18619

It was added accidentally in d2b28ceb.

See gh-18619

Previously, the methods were named addServerProcessors and
setServerProcessors which wasn't aligned with them taking
socket factory processors (ServerRSocketFactoryProcessor) as an
argument.

This commit renames the methods to align them more closely with the
type of their arguments.

Closes gh-18617

See gh-18473

Closes gh-18618

Prior to this commit, all supported servers would share the same
configuration property `server.connection-timeout`. Unfortunately, in
many cases the behavior of this timeout changes depending on the server.
From actual connection setup timeout, to detecting and closing idle
connections, this property cannot be properly translated from one server
implementation to another.

This commit deprecates this configuration property and introduces server
specific properties:

* `server.jetty.connection-idle-timeout`
(Time that the connection can be idle before it is closed.)
* `server.netty.connection-timeout`
(Connection timeout of the Netty channel.)
* `server.tomcat.connection-timeout`
(Amount of time the connector will wait, after accepting a connection,
for the request URI line to be presented.)
* `server.undertow.no-request-timeout`
(Amount of time a connection can sit idle without processing a request,
before it is closed by the server.)

`server.connection-timeout` is now deprecated and will be removed in a
future release.

Fixes gh-18473

Closes gh-18614

* pr/18612:
  Use LinkedHashSet for deterministic order in test assertion

Closes gh-18612

See gh-18612

Closes gh-18609

Closes gh-18608

Closes gh-18607

Closes gh-18526

Previously, a WebSecurityConfigurerAdapter would be configured
irrespective of whether or not the user had provided their own
WebSecurityConfigurerAdapter. This then required them to use ordering
to diambiguate the configuration and made it harder to take complete
control of security configuration.

This commit updates the configuration of the SAML 2 login configurer
adapter to be conditional on missing bean, aligning it with other
security configuration such as the equivalent OAuth 2 configurer
adapter.

Closes gh-18530

Previously, when a NoSuchBeanDefinitionException was being analyzed,
the possibility of a missing @ConstructorBinding annotation on a
@ConfigurationProperties class was not considered.

This commit updates the failure analysis for failed constructor
injection of an instance of a @ConfigurationProperties-annotated
class. When such a failure occurs, adding @ConstructorBinding is
now suggested as an action.

Closes gh-18545

Closes gh-18602

Closes gh-18601

Closes gh-18600

Closes gh-18599

Closes gh-18598

Closes gh-18597

Closes gh-18596

Closes gh-18595

Closes gh-18594

Closes gh-18592

Closes gh-18603

See gh-18229

See gh-18440

Due to a current limitation of Spring Framework, when bean metadata
caching is disabled, a merged bean definition may have a null
resolved factory method that would have been non-null if bean metadata
caching was enabled. Configuration property binding for @Bean methods
annotated with @ConfigurationProperties relied upon the resolved
factory method being enabled to find the @ConfigurationProperties
annotation and trigger property binding. As a result, when bean
metadata caching is disabled on the bean factory, such
@ConfigurationProperties beans would not be bound.

This commit works around the limitation by adding a fallback that
performs a reflection-based search for the factory method when the
resolved factory method on the bean definition is null. This allows
the bean's factory method and any @ConfigurationProperties annotation
on it to be found, ensuring that propoerty binding is then performed.

Fixes gh-18440

* pr/18477:
  Polish "Add some more notes on running exploded jar files"
  Add some more notes on running exploded jar files

Closes gh-18477

See gh-18477

See gh-18477

Closes gh-18588