The spring-boot-cloudfoundry module should only have an optional dependency on spring-boot-security

[matthew-js-porter]

spring-boot-cloudfoundry has an implementation dependency on spring-boot-security:

spring-boot/module/spring-boot-cloudfoundry/build.gradle

Line 31 in b2bc463

implementation(project(":module:spring-boot-security"))

This causes Spring Security to be configured in applications otherwise not using it. Should spring-boot-security be an optional dependency instead?

excluding spring-boot-security from spring-boot-cloudfoundry seems to function as expected.

<dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-cloudfoundry</artifactId>
      <exclusions>
        <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-security</artifactId>
        </exclusion>
      </exclusions>
</dependency>

[philwebb]

I think it should be optional, the only imports I can find are in org.springframework.boot.cloudfoundry.autoconfigure.actuate.endpoint.reactive.CloudFoundryReactiveActuatorAutoConfiguration.IgnoredPathsSecurityConfiguration and org.springframework.boot.cloudfoundry.autoconfigure.actuate.endpoint.servlet.CloudFoundryActuatorAutoConfiguration.IgnoredCloudFoundryPathsWebSecurityConfiguration. Both have @ConditionalOnClass guards.