I think I got it now. The import point is, that spring-security-core
declares commons-logging
as optional
dependency. So other projects using spring security can abstain from commons-logging
and use the slf4j bridge jcl-over-slf4j
or whatever they like :)
This other answer helped me: https://stackoverflow.com/a/3223701/482702