Spring Security Remove OpenSAML3 support

Currently, the spring-security-saml2-service-provider supports the two versions of OpenSAML: 3 and 4.

Since the classes for OpenSAML3 are already deprecated in Spring Security, we should remove them in version 6.0.

It will also simplify the version management and make it more clear for users which version to use. See https://github.com/spring-projects/spring-security/issues/10547

Comment From: phtyson

The 6.0.0-M5 spring-security-saml2-service-provider pom uses opensaml 3.4.6. I had to exclude this and add opensaml4 dependencies, in order to get compatible jakarta servlet libraries (not javax.servlet). Consider updating pom to opensaml4 version. Correction: opensaml4 AbstractHttpServletResponseMessageEncoder still wants to use javax.servlet.http.HttpServletResponse, which is a problem in java17

Comment From: marcusdacoregio

Thank you @phtyson. I've opened https://github.com/spring-projects/spring-security/issues/11658 to track the issue.

Comment From: phtyson

Further to my previous comment, none of the opensaml 4.x releases or snapshots work with java17. I used opensaml 5.0.0-SNAPSHOT.