Closes gh-2477

Closes gh-1768

Closes gh-3999

Previously, no `errors` attribute is made available in the standard JSON
error document if a request body object is invalid. This is due to the
fact that the framework throws a `MethodArgumentNotValidException holding
a `BindingResult` object that was not detected.

We now make sure to extract the `BindingResult` from such exception.

Closes gh-4166

Previously, EndpointWebMvcChildContextConfiguration would attempt to
create a /error endpoint, irrespective of whether or not the parent
had such an endpoint. If the endpoint was disabled in the parent this
would cause a failure due to the absence of an ErrorAttributes bean.

This commit updates EndpointWebMvcChildContextConfiguration to make
the creation of its /error endpoint conditional on the existence of
an ErrorAttributes bean.

Closes gh-4164

Closes gh-4028

Previously, SecurityFilterAutoConfiguration would be created even if
spring-security-web was not on the classpath. This didn't cause a
failure as all of its beans were disabled. It was, however, wasteful,
as the configuration class was processed and a bean created for it
unnecessarily.

This commit makes the whole class conditional on the presence of
spring-security-web so that it will be skipped entirely when the
dependency is not available.

Closes gh-4160

This commit adds dependency management for Cassandra Driver’s three
modules. The version is the latest maintenance release of the minor version that’s used by Spring Data Cassandra in the Spring Data Gosling release train.

Closes gh-4167

Update remote restart support so that JARs multi-module projects work.

Fixes gh-4040

Add an `excludeDevtools` property to both the Maven and Gradle plugin
that removes `org.springframework.boot:spring-boot-devtools` (if
necessary) when repackaging the application.

Closes gh-3171

See gh-4104

Update SecurityFilterAutoConfiguration to use a DelegatingFilterProxy
filter rather directly referencing the springSecurityFilterChain bean.

Using a DelegatingFilterProxy helps to prevent early initialization of
beans and makes Spring Security work in a similar to way to if were
installed in a regular WAR deployment.

Fixes gh-4154

Add a RegistrationBean that can be used to create DelegatingFilterProxy
filters that don't cause early initialization.

Fixes gh-4165

Closes gh-4104

Closes gh-4157

Spring Boot will eagerly initialize a `ConversionService` named
`conversionService` for configuration keys processing. This commit adds
a note in the documentation regarding that special behaviour.

Closes gh-4162

Spring Security 4’s default configuration will, irrespective of any
other header writers that are added, enable writers for the following
headers:

 - X-Content-Type
 - X-XSS-Protection
 - Cache-Control
 - X-Frame-Options

Previously, SecurityProperties.headers used false as the default for the
properties that enable or disable these headers but the configuration is
only applied when the properties are true. This left us with the right
default behaviour (the headers are enabled) but meant that the
properties could not be used to switch off the headers.

This commit changes the defaults for the four properties to true and
updates SpringBootWebSecurityConfiguration to only apply the
configuration when the properties are false. This leaves us with the
desired defaults while allowing users to disable one or more of the
properties by setting the relevant property to false.

Closes gh-3517

So far we have wrongly advertized that the `spring-boot-starter-parent`
filters application configuration in such a way that standard Spring
placeholders are not processed.

In order to achieve such feature, the `useDefaultDelimiters` property
must be set to `false` as otherwise default delimiters are appended to
the list of custom delimiters.

This property is not enabled so that only keys surrounded by `@` are
filtered by the build.

Closes gh-3092

The second level cache of Hibernate can be configured with dedicated
factories that look up for the presence of a cache infrastructure. As
Hibernate shouldn't have to know about Spring, that lookup is done
against the respective proprietary APIs.

We now make sure that caching (and the general purpose Hazelcast
auto-configuration) is fully processed before JPA kicks in. In particular
an explicit `dependsOn` attribute on those beans is added when they are
processed.

Closes gh-4158

Update ConfigFileEnvironmentPostProcessor to load profile specific
sections for all previously processed profiles. Prior to this commit
multi-profile YAML files were only loaded from the root
`application.yml` file.

With the updated logic, an `application-test.yml` file containing the
following:

	someTestProperty: xyz
	---
	spring:
	  profiles: profile1
	  specificProperty: one

Can have the profile sub-document loaded using:

	-Dspring.profiles.active=test,profile1

Fixes gh-4132

Closes gh-4135

Closes gh-4151

Closes gh-4150

Closes gh-4149

Closes gh-4148

Closes gh-4140

Closes gh-4147

Prior to 8.0.28 Tomcat required the key store and trust store (if any)
to be available directly on the filesystem, i.e. classpath: resources
would not work. Tomcat 8.0.28 removed this limitation.

This commit updates to Tomcat 8.0.28, updates the tests to verify
the new Tomcat capability and removes the obsolete documentation of
the restriction.

Closes gh-4048

Previously, the parent context was only considered when the builder
was used to run the application. If the application was built using
the builder and then run using SpringApplication.run, the parent
context was not considered.

This commit updates the builder to consider the parent both when it's
used to run the application and when it's used to build the
application that will later be run via SpringApplication.run

Closes gh-4014

When the actuator is enabled, Spring Boot provides two `MBeanExporter`
bean definitions: a general purpose one and a dedicated one for Actuator
endpoints.

This commit flag the general purpose one `@Primary` so that component
can safely inject it by type if necessary. In particular, this fix the
doc of the `JmxMetricWriter`.

Closes gh-4007

Gradle 2.0, and only 2.0, requires a Plugin implementation to be
public. The changes made in gh-4113 (9c14ed35) made the class
package-private.

Closes gh-4139