Extract spring framework and security versions into build time config

[dsyer]

We saw in #117 that users can experience issues with mismatched versions of Boot and Framework (and Security) because gRPC manages their versions independently, so anyone using out spring-grpc-dependencies BOM and spring-boot-dependencies at the same time can have a nasty surprise.

Probably the best solution is to pull those explicit versions out of our public dependencies BOM and put them in a separate configuration that is either not published at all, or at least not documented, so users can't easily include them by mistake.

[onobc]

In addition to framework and security we need to include netty and micrometer as they are also managed by Spring Boot and will need to be included in the "move".

• spring-framework
• spring-security
• micrometer
• netty