Downgrade to Nimbus JOSE JWT 8.+

[wilkinsona]

This pull request corrects the fix for #9399. The previous attempt accidentally left Nimbus JOSE JWT constrained at 9.+ in the main build. The Boot-based samples didn't catch the problem as the constraints that were added were ineffective as Boot's dependency management was taking precedence.

https://ge.spring.io/s/gsspmqm777k4w is a build scan with these changes, showing many 8.x dependencies and no 9.x dependencies.

[wilkinsona]

I'm not sure what we should do for next week's Boot 2.4 release but we have a few options. In my order of preference, they are:

1. Upgrade to a new Security 5.4.5 release and downgrade to JOSE JWT 8.x
2. Stay on Security 5.4.2 and JOSE JWT 9.1.3
3. Update to Security 5.4.4 but stay on JOSE JWT 9.1.3
4. Upgrade to Security 5.4.4 and JOSE JWT 9.5

1 is my favourite as it gets the fix into the hands of Boot's users with as little churn for them as possible. 4 is my least favourite as we would be inflicting a minor dependency upgrade in one Boot maintenance release knowing that we're then going to inflict a major dependency downgrade in the next maintenance release. I think this will damage users' confidence in Boot's dependency management. 3 is quite risky as I don't know if Security is binary compatible with 9.1.3 having been compiled against 9.5.

[wilkinsona]

The build failure appears to be unrelated. It was caused by a bad connection to PCF one:

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php": Connection timed out (Connection timed out); nested exception is java.net.ConnectException: Connection timed out (Connection timed out)