Forwarded headers are now processed before ServerWebExchange is created
through ForwardedHeaderTransformer which has the same logic as the
ForwardedHeaderFilter but works on the request only.

ForwardedHeaderFilter is deprecated as of 5.1 but if registered it is
removed from the list of filters and ForwardedHeaderTransformer is used
instead.

Issue: SPR-17072

Preparation for SPR-17072

Preparation for SPR-17072

Issue: SPR-16418

See Javadoc on UriComponentsBuilder#uriVariables for details.

This helps to prepare for SPR-17027 where the MvcUriComponentsBuilder
already does a partial expand but was forced to build UriComonents
and then create a new UriComponentsBuilder from it to continue. This
change makes it possible to stay with the same builder instance.

Issue: SPR-17027

After the latest changes, two small fixes in the clone method to copy
the encode flag, and in the encodeUriTemplate method to account for
possible null query params.

Improvements in the URI encoding section.

Issue: SPR-17039, SPR-17027

+ minor update to the InMemoryWebSession to match the defined behavior.

Issue: SPR-17051

DefaultUriBuilderFactory now uses EncodingMode.TEMPLATE_AND_VALUES by
default. However the RestTemplate explicitly sets it to the previous
setting EncodingMode.URI_COMPONENTS, so this affects mainly the
WebClient and any direct use of DefaultUriBuilderFactory to configure
either the RestTemplate or the WebClient.

Issue: SPR-17039

Issue: SPR-17039

The ability to request to encode before `build()`, and more importantly
before expanding, allows stricter encoding to be applied to URI vars
and consequently to neutralize the effect of characters with reserved
meaning in a URI.

Issue: SPR-17039

This commit removes the session threshold check added recently which
is not effective since maxIdleTime is usually much longer than the
frequency of checks. The lazy triggering of expiration checks during
create or retreive are simple and the most effective

This commit also adds a maxSessions limit on the total number of
sessions that can be created at any one time, a getSessions method
for management purposes, and a removeExpiredSessions public API
for manual triggering of expiration checks.

Issue: SPR-17020, SPR-16713

1. Add session count threshold as am extra pre-condition.
2. Check pre-conditions for expiration checks on every request.

Effectively an upper bound on how many sessions can be created before
expiration checks are performed.

Issue: SPR-17020

Issue: SPR-16203

Issue: SPR-16980

Update tests to ensure that tabs are used instead of spaces. Also
consistently apply a new line at the end of each file.

Issue: SPR-16968

Polish a few issue identified when adding checkstyle to the
build. Although checkstyle is not enforcing rules on tests,
these are a few minor changes that are still worth making.

Issue: SPR-16968

Issue: SPR-16972

Issue: SPR-16898

Issue: SPR-16898

Issue: SPR-16940

This commit adds support for the "SameSite" attribute in response
cookies. As explained in rfc6265bis, this attribute can be used to limit
the scope of a cookie so that it can't be attached to a request unless
it is sent from the "same-site".

This feature is currently supported by Google Chrome and Firefox, other
browsers will ignore this attribute.

This feature can help prevent CSRF attacks; this is why this commit adds
this attribute by default for SESSION Cookies in WebFlux.

See: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis

Issue: SPR-16418

Issue: SPR-16505
Issue: SPR-16499

This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter
(Reactive variant) to the following: PUT, DELETE, PATCH.

This filter is meant to be used to simulate those methods from HTML
forms sent by browsers, so no other methods are allowed.

Issue: SPR-16836

This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter
(Servlet variant) to the following: PUT, DELETE, PATCH.

This filter is meant to be used to simulate those methods from HTML
forms sent by browsers, so no other methods are allowed.

Issue: SPR-16836

Issue: SPR-16336

This commit adds FormContentFilter, which is the same as the
HttpPutFormContentFilter but also supports DELETE.

The HttpPutFormContentFilter is now deprecated.

Issue: SPR-16874

Issue: SPR-16863

Issue: SPR-16863

Issue: SPR-16808

DefaultMultipartHttpServletRequest always returned mulitpart parameter
values only rather than aggregating with query parameters, which
contradicts with Servlet spec, section 3.1, and is inconsistent with
StandardMultipartHttpServletRequest.

Issue: SPR-16590

This commit removes all places where forwarded headers are checked
implicitly, on an ad-hoc basis.

ForwardedHeaderFilter is expected to be used instead providing
centralized control over using or discarding such headers.

Issue: SPR-16668

Issue: SPR-16772

Prior to this commit, the various `HttpMessageConverter` instances
configured for a given `RestTemplate` instance could all contribute
`MediaType` values to the "Accept:" request header.

This could lead to duplicate media types in that request header,
cluttering for the HTTP request for no reason.

This commit ensures that only distinct values are added to the request.

Issue: SPR-16690

Issue: SPR-16712

Issue: SPR-16604

Issue: SPR-16613