Merge branch 'main' into quarkusio#36376

MaciejDromin · Dec 6, 2023 · e2e529d · e2e529d
2 parents 48ebc43 + b7887aa
commit e2e529d
Show file tree

Hide file tree

Showing 29 changed files with 473 additions and 55 deletions.
diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -106,7 +106,7 @@
         <hibernate-reactive.version>2.2.0.Final</hibernate-reactive.version>
         <hibernate-validator.version>8.0.1.Final</hibernate-validator.version>
         <!-- When updating, align hibernate-search.version-for-documentation in docs/pom.xml -->
-        <hibernate-search.version>7.0.0.CR2</hibernate-search.version>
+        <hibernate-search.version>7.0.0.Final</hibernate-search.version>
         <narayana.version>7.0.0.Final</narayana.version>
         <agroal.version>2.1</agroal.version>
         <jboss-transaction-spi.version>8.0.0.Final</jboss-transaction-spi.version>
@@ -182,12 +182,12 @@
         <okhttp.version>3.14.9</okhttp.version><!-- keep in sync with okio -->
         <okio.version>1.17.6</okio.version><!-- keep in sync with okhttp -->
         <hibernate-quarkus-local-cache.version>0.3.0</hibernate-quarkus-local-cache.version>
-        <flapdoodle.mongo.version>4.9.2</flapdoodle.mongo.version>
+        <flapdoodle.mongo.version>4.11.1</flapdoodle.mongo.version>
         <quarkus-spring-api.version>5.2.SP7</quarkus-spring-api.version>
         <quarkus-spring-data-api.version>2.1.SP2</quarkus-spring-data-api.version>
         <quarkus-spring-security-api.version>5.4.Final</quarkus-spring-security-api.version>
         <quarkus-spring-boot-api.version>2.1.SP1</quarkus-spring-boot-api.version>
-        <mockito.version>5.3.1</mockito.version>
+        <mockito.version>5.8.0</mockito.version>
         <jna.version>5.8.0</jna.version><!-- should satisfy both testcontainers and mongodb -->
         <antlr.version>4.13.0</antlr.version><!-- needs to align with same property in build-parent/pom.xml -->
         <quarkus-security.version>2.0.2.Final</quarkus-security.version>
@@ -203,7 +203,7 @@
         <commons-compress.version>1.25.0</commons-compress.version>
         <commons-text.version>1.11.0</commons-text.version>
         <gson.version>2.10.1</gson.version>
-        <log4j2-jboss-logmanager.version>1.1.1.Final</log4j2-jboss-logmanager.version>
+        <log4j2-jboss-logmanager.version>1.1.2.Final</log4j2-jboss-logmanager.version>
         <log4j2-api.version>2.22.0</log4j2-api.version>
         <log4j-jboss-logmanager.version>1.3.0.Final</log4j-jboss-logmanager.version>
         <avro.version>1.11.3</avro.version>

diff --git a/build-parent/pom.xml b/build-parent/pom.xml
@@ -109,7 +109,7 @@
         <keycloak.docker.image>quay.io/keycloak/keycloak:${keycloak.version}</keycloak.docker.image>
         <keycloak.docker.legacy.image>quay.io/keycloak/keycloak:${keycloak.wildfly.version}-legacy</keycloak.docker.legacy.image>
 
-        <unboundid-ldap.version>6.0.10</unboundid-ldap.version>
+        <unboundid-ldap.version>6.0.11</unboundid-ldap.version>
 
         <assertj.version>3.24.2</assertj.version>
 

diff --git a/core/runtime/src/main/java/io/quarkus/runtime/configuration/ConfigDiagnostic.java b/core/runtime/src/main/java/io/quarkus/runtime/configuration/ConfigDiagnostic.java
@@ -184,7 +184,7 @@ public static Set<String> configFiles(Path configFilesLocation) throws IOExcepti
         Set<String> configFiles = new HashSet<>();
         try (DirectoryStream<Path> candidates = Files.newDirectoryStream(configFilesLocation, CONFIG_FILES_FILTER)) {
             for (Path candidate : candidates) {
-                configFiles.add(candidate.toString());
+                configFiles.add(candidate.toUri().getPath());
             }
         }
         return configFiles;

diff --git a/docs/src/main/asciidoc/kafka.adoc b/docs/src/main/asciidoc/kafka.adoc
@@ -1952,10 +1952,8 @@ mp.messaging.outgoing.fruit-out.compression.type=snappy
 ----
 
 In JVM mode, it will work out of the box.
-However, to compile your application to a native executable, you need to:
-
-1. Uses GraalVM 21.+
-2. Add `quarkus.kafka.snappy.enabled=true` to your `application.properties`
+However, to compile your application to a native executable, you need to
+add `quarkus.kafka.snappy.enabled=true` to your `application.properties`.
 
 In native mode, Snappy is disabled by default as the use of Snappy requires embedding a native library and unpacking it when the application starts.
 

diff --git a/docs/src/main/asciidoc/scheduler-reference.adoc b/docs/src/main/asciidoc/scheduler-reference.adoc
@@ -164,7 +164,7 @@ So for example a Property Expression with the default value `"off"` can be used
 void myMethod() { }
 ----
 
-
+[#identity]
 === Identity
 
 By default, a unique identifier is generated for each scheduled method.
@@ -417,7 +417,7 @@ If the xref:smallrye-metrics.adoc[SmallRye Metrics extension] is present, then a
 
 == OpenTelemetry Tracing
 
-If `quarkus.scheduler.tracing.enabled` is set to `true` and the xref:opentelemetry.adoc[OpenTelemetry extension] is present then the `@io.opentelemetry.instrumentation.annotations.WithSpan` annotation is added automatically to every `@Scheduled` method. As a result, each execution of this method has a new `io.opentelemetry.api.trace.Span` associated.
+If `quarkus.scheduler.tracing.enabled` is set to `true` and the xref:opentelemetry.adoc[OpenTelemetry extension] is present then every job execution, either defined with the `@Scheduled` annotation or scheduled programmatically, automatically creates a span named after the job's <<identity>>.
 
 [[virtual_threads]]
 == Run @Scheduled methods on virtual threads

diff --git a/docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc b/docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
@@ -87,9 +87,9 @@ import io.vertx.ext.web.RoutingContext;
 @ApplicationScoped
 public class CustomNamedHttpSecPolicy implements HttpSecurityPolicy {
     @Override
-    public Uni<CheckResult> checkPermission(RoutingContext request, Uni<SecurityIdentity> identity,
+    public Uni<CheckResult> checkPermission(RoutingContext event, Uni<SecurityIdentity> identity,
             AuthorizationRequestContext requestContext) {
-        if (customRequestAuthorization(request)) {
+        if (customRequestAuthorization(event)) {
             return Uni.createFrom().item(CheckResult.PERMIT);
         }
         return Uni.createFrom().item(CheckResult.DENY);
@@ -99,6 +99,11 @@ public class CustomNamedHttpSecPolicy implements HttpSecurityPolicy {
     public String name() {
         return "custom"; <1>
     }
+
+    private static boolean customRequestAuthorization(RoutingContext event) {
+        // here comes your own security check
+        return !event.request().path().endsWith("denied");
+    }
 }
 ----
 <1> Named HTTP Security policy will only be applied to requests matched by the `application.properties` path matching rules.
@@ -376,8 +381,6 @@ The following <<subject-example>> demonstrates an endpoint that uses both Jakart
 ----
 import java.security.Principal;
 
-import jakarta.annotation.security.DenyAll;
-import jakarta.annotation.security.PermitAll;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
@@ -617,7 +620,7 @@ quarkus.http.auth.permission.roles1.paths=/crud/modify/*,/crud/id/*
 quarkus.http.auth.permission.roles1.policy=role-policy1
 
 quarkus.http.auth.policy.role-policy2.permissions.user=list
-quarkus.http.auth.policy.role-policy2.permission-class=org.acme.crud.CRUDResource.CustomPermission  <4>
+quarkus.http.auth.policy.role-policy2.permission-class=org.acme.crud.CRUDResource$CustomPermission  <4>
 quarkus.http.auth.permission.roles2.paths=/crud/list
 quarkus.http.auth.permission.roles2.policy=role-policy2
 ----
@@ -626,7 +629,7 @@ Similarly, for the `@PermissionsAllowed` annotation, `io.quarkus.security.String
 <2> Permissions `create`, `update`, and `read` are mapped to the role `admin`.
 <3> The role policy `role-policy1` allows only authenticated requests to access `/crud/modify` and `/crud/id` sub-paths.
 For more information about the path-matching algorithm, see <<matching-multiple-paths>> later in this guide.
-<4> You can also specify a custom implementation of the `java.security.Permission` class.
+<4> You can specify a custom implementation of the `java.security.Permission` class.
 Your custom class must define exactly one constructor that accepts the permission name and optionally some actions, for example, `String` array.
 In this scenario, the permission `list` is added to the `SecurityIdentity` instance as `new CustomPermission("list")`.
 
@@ -638,6 +641,8 @@ Later, Quarkus instantiates your custom permission with actual arguments, with w
 
 [source,java]
 ----
+package org.acme.library;
+
 import java.security.Permission;
 import java.util.Arrays;
 import java.util.Set;
@@ -665,7 +670,7 @@ public class LibraryPermission extends Permission {
         return false;
     }
 
-    ...
+    // here comes your own implementation of the `java.security.Permission` class methods
 
     public static abstract class Library {
 
@@ -684,7 +689,7 @@ public class LibraryPermission extends Permission {
     }
 
     public static class TvLibrary extends MediaLibrary {
-        ...
+        // TvLibrary specific implementation of the 'isParentLibraryOf' method
     }
 }
 ----
@@ -699,8 +704,11 @@ The following example shows how the `LibraryPermission` class can be used:
 
 [source,java]
 ----
+package org.acme.library;
+
 import io.quarkus.security.PermissionsAllowed;
 import jakarta.enterprise.context.ApplicationScoped;
+import org.acme.library.LibraryPermission.Library;
 
 @ApplicationScoped
 public class LibraryService {
@@ -729,6 +737,15 @@ The permission constructor and the annotated method must have the parameter `lib
 
 [source,java]
 ----
+package org.acme.library;
+
+import io.quarkus.security.PermissionsAllowed;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import org.acme.library.LibraryPermission.Library;
+
 @Path("/library")
 public class LibraryResource {
 
@@ -759,9 +776,6 @@ Similarly to the `CRUDResource` example, the following example shows how you can
 package org.acme.library;
 
 import io.quarkus.runtime.annotations.RegisterForReflection;
-import java.security.Permission;
-import java.util.Arrays;
-import java.util.Set;
 
 @RegisterForReflection <1>
 public class MediaLibraryPermission extends LibraryPermission {
@@ -782,10 +796,12 @@ quarkus.http.auth.policy.role-policy3.permission-class=org.acme.library.MediaLib
 quarkus.http.auth.permission.roles3.paths=/library/*
 quarkus.http.auth.permission.roles3.policy=role-policy3
 ----
-
 <1> Grants the permission `media-library`, which permits `read`, `write`, and `list` actions.
 Because `MediaLibrary` is the `TvLibrary` class parent, a user with the `admin` role is also permitted to modify `TvLibrary`.
 
+TIP: The `/library/*` path can be tested from a Keycloak provider Dev UI page, because the user `alice` which is created
+automatically by the xref:security-openid-connect-dev-services.adoc[Dev Services for Keycloak] has an `admin` role.
+
 The examples provided so far use role-to-permission mapping.
 You can also add permissions to the `SecurityIdentity` instance programmatically.
 In the following example, xref:security-customization.adoc#security-identity-customization[`SecurityIdentity` is customized] to add the same permission that was previously granted with the HTTP role-based policy.

diff --git a/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc b/docs/src/main/asciidoc/security-oidc-code-flow-authentication-tutorial.adoc
@@ -20,8 +20,6 @@ See also, xref:security-authentication-mechanisms.adoc#other-supported-authentic
 
 If you want to protect your service applications by using OIDC Bearer token authentication, see xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication].
 
-:sectnums!:
-
 == Prerequisites
 
 :prerequisites-docker:
@@ -91,6 +89,7 @@ import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
 
+import org.eclipse.microprofile.jwt.Claims;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
 import io.quarkus.oidc.IdToken;
@@ -132,7 +131,7 @@ public class TokenResource {
                .append("<ul>");
 
 
-       Object userName = this.idToken.getClaim("preferred_username");
+       Object userName = this.idToken.getClaim(Claims.preferred_username);
 
        if (userName != null) {
            response.append("<li>username: ").append(userName.toString()).append("</li>");
@@ -191,15 +190,15 @@ To start a Keycloak server, use Docker and run the following command:
 docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8180:8080 quay.io/keycloak/keycloak:{keycloak.version} start-dev
 ----
 
-where `keycloak.version` should be set to `17.0.0` or higher.
+where `keycloak.version` should be set to `23.0.0` or higher.
 
 You should be able to access your Keycloak Server at http://localhost:8180[localhost:8180].
 
 To access the Keycloak Administration Console, log in as the `admin` user.
 Username should be `admin` and password `admin`.
 
 Import the link:{quickstarts-tree-url}/security-openid-connect-web-authentication-quickstart/config/quarkus-realm.json[realm configuration file] to create a new realm.
-For more information, see the Keycloak documentation about how to https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm[create a new realm].
+For more information, see the Keycloak documentation about how to https://www.keycloak.org/docs/latest/server_admin/index.html#configuring-realms[create and configure a new realm].
 
 == Run the application in dev and JVM modes
 
@@ -254,11 +253,13 @@ To authenticate to the application, type the following credentials when at the K
 * Username: *alice*
 * Password: *alice*
 
-After clicking the `Login` button, you are redirected back to the application.
+After clicking the `Login` button, you are redirected back to the application and a session cookie will be created.
+
+The session for this demo is short-lived and you will be asked to re-authenticate on every page refresh. Please follow the Keycloak https://www.keycloak.org/docs/latest/server_admin/#_timeouts[session timeout] documentation to learn how to increase the session timeouts. For example, you can access Keycloak Admin console directly from Dev UI by selecting a `Keycloak Admin` link if you use xref:security-oidc-code-flow-authentication.adoc#integration-testing-keycloak-devservices[Dev Services for Keycloak] in dev mode:
 
-For more information about writing the integration tests that depend on `Dev Services for Keycloak`, see the <<security-oidc-code-flow-authentication.adoc#integration-testing-keycloak-devservices, Dev Services for Keycloak>> section.
+image::dev-ui-oidc-keycloak-card.png[alt=Dev UI OpenID Connect Card,role="center"]
 
-:sectnums!:
+For more information about writing the integration tests that depend on `Dev Services for Keycloak`, see the xref:security-oidc-code-flow-authentication.adoc#integration-testing-keycloak-devservices[Dev Services for Keycloak] section.
 
 == Summary