Spring Security commons-logging:commons-logging is a transitive dependency of some modules

Describe the bug

Spring projects should use Spring Framework's spring-jcl module in place of commons-logging:commons-logging, however some Spring Security modules pull in commons-logging:commons-logging as a transitive dependency. spring-security-openid in 5.5.x is one example. spring-security-saml2-service-provider in 5.4.x is another.

To Reproduce

Looking at build scans on ge.spring.io is one way to observe the problem for 5.5.x at least (I couldn't find any scans tagged with 5.4.x). You can also see commons-logging:commons-logging leaking into Spring Boot's build via Spring Security (and many other dependencies) in Boot's build scans such as this one.

Expected behavior

commons-logging is not a direct or transitive dependency of any Spring Security module.

Sample

N/A.

Comment From: jzheaux

I'm taking a look at spring-security-saml2-service-provider.