Update TraceWebFilter to optionally trace more details from the
HttpServletRequest/HttpServletResponse. The `management.trace.include`
property can be used to change what aspects are logged.

Closes gh-3948

jersey-spring3 has a transtive dependencies on HK2’s bean-validator
module that embeds JBoss Logging, Hibernate Validator, and Classmate
without repackaging them. This makes it impossible to control the
version of those three libraries that will be used without relying on
classpath ordering.

This commit excludes the bean-validator dependency from jersey-spring3.
The Jersey starter already depends on our Validation starter which
pulls in the proper, and controllable, version of the three
dependencies listed above so users of our starters will be unaffected.

Closes gh-4186

Closes gh-3525

Closes gh-4124

See gh-4019

Closes gh-3853

Closes gh-3862

Closes gh-3813

Closes gh-3576

Closes gh-3767

Closes gh-2477

Closes gh-1768

Closes gh-3999

Previously, no `errors` attribute is made available in the standard JSON
error document if a request body object is invalid. This is due to the
fact that the framework throws a `MethodArgumentNotValidException holding
a `BindingResult` object that was not detected.

We now make sure to extract the `BindingResult` from such exception.

Closes gh-4166

Previously, EndpointWebMvcChildContextConfiguration would attempt to
create a /error endpoint, irrespective of whether or not the parent
had such an endpoint. If the endpoint was disabled in the parent this
would cause a failure due to the absence of an ErrorAttributes bean.

This commit updates EndpointWebMvcChildContextConfiguration to make
the creation of its /error endpoint conditional on the existence of
an ErrorAttributes bean.

Closes gh-4164

Closes gh-4028

Previously, SecurityFilterAutoConfiguration would be created even if
spring-security-web was not on the classpath. This didn't cause a
failure as all of its beans were disabled. It was, however, wasteful,
as the configuration class was processed and a bean created for it
unnecessarily.

This commit makes the whole class conditional on the presence of
spring-security-web so that it will be skipped entirely when the
dependency is not available.

Closes gh-4160

This commit adds dependency management for Cassandra Driver’s three
modules. The version is the latest maintenance release of the minor version that’s used by Spring Data Cassandra in the Spring Data Gosling release train.

Closes gh-4167

Update remote restart support so that JARs multi-module projects work.

Fixes gh-4040

Add an `excludeDevtools` property to both the Maven and Gradle plugin
that removes `org.springframework.boot:spring-boot-devtools` (if
necessary) when repackaging the application.

Closes gh-3171

See gh-4104

Update SecurityFilterAutoConfiguration to use a DelegatingFilterProxy
filter rather directly referencing the springSecurityFilterChain bean.

Using a DelegatingFilterProxy helps to prevent early initialization of
beans and makes Spring Security work in a similar to way to if were
installed in a regular WAR deployment.

Fixes gh-4154

Add a RegistrationBean that can be used to create DelegatingFilterProxy
filters that don't cause early initialization.

Fixes gh-4165

Closes gh-4104

Closes gh-4157

Spring Boot will eagerly initialize a `ConversionService` named
`conversionService` for configuration keys processing. This commit adds
a note in the documentation regarding that special behaviour.

Closes gh-4162

Spring Security 4’s default configuration will, irrespective of any
other header writers that are added, enable writers for the following
headers:

 - X-Content-Type
 - X-XSS-Protection
 - Cache-Control
 - X-Frame-Options

Previously, SecurityProperties.headers used false as the default for the
properties that enable or disable these headers but the configuration is
only applied when the properties are true. This left us with the right
default behaviour (the headers are enabled) but meant that the
properties could not be used to switch off the headers.

This commit changes the defaults for the four properties to true and
updates SpringBootWebSecurityConfiguration to only apply the
configuration when the properties are false. This leaves us with the
desired defaults while allowing users to disable one or more of the
properties by setting the relevant property to false.

Closes gh-3517

So far we have wrongly advertized that the `spring-boot-starter-parent`
filters application configuration in such a way that standard Spring
placeholders are not processed.

In order to achieve such feature, the `useDefaultDelimiters` property
must be set to `false` as otherwise default delimiters are appended to
the list of custom delimiters.

This property is not enabled so that only keys surrounded by `@` are
filtered by the build.

Closes gh-3092

The second level cache of Hibernate can be configured with dedicated
factories that look up for the presence of a cache infrastructure. As
Hibernate shouldn't have to know about Spring, that lookup is done
against the respective proprietary APIs.

We now make sure that caching (and the general purpose Hazelcast
auto-configuration) is fully processed before JPA kicks in. In particular
an explicit `dependsOn` attribute on those beans is added when they are
processed.

Closes gh-4158

Update ConfigFileEnvironmentPostProcessor to load profile specific
sections for all previously processed profiles. Prior to this commit
multi-profile YAML files were only loaded from the root
`application.yml` file.

With the updated logic, an `application-test.yml` file containing the
following:

	someTestProperty: xyz
	---
	spring:
	  profiles: profile1
	  specificProperty: one

Can have the profile sub-document loaded using:

	-Dspring.profiles.active=test,profile1

Fixes gh-4132

Closes gh-4135