commons-logging exclusion in spring-security-oauth2-authorization-server:7.0.2 causes NoClassDefFoundError

[kontang5]

Describe the bug

spring-security-oauth2-authorization-server:7.0.2 POM excludes commons-logging from spring-core dependency, causing NoClassDefFoundError: org/apache/commons/logging/LogFactory at application startup.

This exclusion was valid when Spring Framework used spring-jcl, but Spring Framework 7 now uses commons-logging directly (spring-projects/spring-framework#32459). Issue #17061 addressed this, but the fix doesn't appear to be included in the 7.0.2 release.

To Reproduce

1. Create Spring Boot 4.0.1 project with Gradle
2. Add dependencies:
   implementation("org.springframework.boot:spring-boot-starter")
   implementation("org.springframework.security:spring-security-oauth2-authorization-server")
3. Run ./gradlew bootRun
4. Application fails with:
   Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
   at org.springframework.boot.SpringApplication.(SpringApplication.java:205)

Expected behavior

Application starts normally since spring-core:7.0.2 declares commons-logging:1.3.5 as a compile dependency.

Sample

https://github.com/kontang5/demo

[ngocnhan-tran1996]

If you are using Spring Boot, you can choose Oauth2 Authorization Server from the https://start.spring.io/ instead of importing
org.springframework.security:spring-security-oauth2-authorization-server and the corresponding Spring Boot dependency is
org.springframework.boot:spring-boot-starter-security-oauth2-authorization-server.