Sync documentation of main branch

_generated-doc/main/config/quarkus-all-config.adoc

@@ -8755,6 +8755,34 @@ endif::add-copy-button-to-env-var[]
 |boolean
 |`true`
 
+a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-auth-inclusive]] [.property-path]##`quarkus.http.auth.inclusive`##
+
+[.description]
+--
+Require that all registered HTTP authentication mechanisms must complete the authentication.
+
+Typically, this property has to be true when the credentials are carried over mTLS, when both mTLS and another authentication, for example, OIDC bearer token authentication, must succeed. In such cases, `SecurityIdentity` created by the first mechanism, mTLS, can be injected, identities created by other mechanisms will be available on `SecurityIdentity`. The identities can be retrieved using utility method as in the example below:
+
+```
+```
+
+`io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getSecurityIdentities(securityIdentity)`
+
+This property is false by default which means that the authentication process is complete as soon as the first `SecurityIdentity` is created.
+
+This property will be ignored if the path specific authentication is enabled.
+
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_AUTH_INCLUSIVE+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_HTTP_AUTH_INCLUSIVE+++`
+endif::add-copy-button-to-env-var[]
+--
+|boolean
+|`false`
+
 a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-ssl-client-auth]] [.property-path]##`quarkus.http.ssl.client-auth`##
 
 [.description]
@@ -68233,7 +68261,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT_CAPTURE_STACKTRACE+++`
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`true`
+|`false`
 
 a| [[quarkus-rest-client-config_quarkus-rest-client-logging-scope]] [.property-path]##`quarkus.rest-client.logging.scope`##
 
@@ -76699,7 +76727,9 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-client-unhandled-failure-st
 --
 The strategy used when an error occurs but no error handler can handle the failure.
 
-By default, the connection is closed when an unhandled failure occurs.
+By default, the error message is logged when an unhandled failure occurs.
+
+Note that clients should not close the WebSocket connection arbitrarily. See also RFC-6455 link:https://datatracker.ietf.org/doc/html/rfc6455#section-7.3[section 7.3].
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -76709,8 +76739,8 @@ ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_CLIENT_UNHANDLED_FAILURE_STRATEGY+++`
 endif::add-copy-button-to-env-var[]
 --
-a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.]
-|tooltip:close[Close the connection.]
+a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.]
+|tooltip:log[Log the error message.]
 
 a| [[quarkus-websockets-next_quarkus-websockets-next-client-tls-configuration-name]] [.property-path]##`quarkus.websockets-next.client.tls-configuration-name`##
 
@@ -76862,7 +76892,7 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-server-unhandled-failure-st
 --
 The strategy used when an error occurs but no error handler can handle the failure.
 
-By default, the connection is closed when an unhandled failure occurs.
+By default, the error message is logged and the connection is closed when an unhandled failure occurs.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -76872,8 +76902,8 @@ ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_SERVER_UNHANDLED_FAILURE_STRATEGY+++`
 endif::add-copy-button-to-env-var[]
 --
-a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.]
-|tooltip:close[Close the connection.]
+a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.]
+|tooltip:log-and-close[Log the error message and close the connection.]
 
 a| [[quarkus-websockets-next_quarkus-websockets-next-server-security-auth-failure-redirect-url]] [.property-path]##`quarkus.websockets-next.server.security.auth-failure-redirect-url`##
 

_generated-doc/main/config/quarkus-rest-client-config.adoc

@@ -607,7 +607,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT_CAPTURE_STACKTRACE+++`
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`true`
+|`false`
 
 a| [[quarkus-rest-client-config_quarkus-rest-client-logging-scope]] [.property-path]##`quarkus.rest-client.logging.scope`##
 

_generated-doc/main/config/quarkus-rest-client-config_quarkus.rest-client.adoc

@@ -607,7 +607,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT_CAPTURE_STACKTRACE+++`
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`true`
+|`false`
 
 a| [[quarkus-rest-client-config_quarkus-rest-client-logging-scope]] [.property-path]##`quarkus.rest-client.logging.scope`##
 

_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc

@@ -93,6 +93,34 @@ endif::add-copy-button-to-env-var[]
 |boolean
 |`true`
 
+a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-auth-inclusive]] [.property-path]##`quarkus.http.auth.inclusive`##
+
+[.description]
+--
+Require that all registered HTTP authentication mechanisms must complete the authentication.
+
+Typically, this property has to be true when the credentials are carried over mTLS, when both mTLS and another authentication, for example, OIDC bearer token authentication, must succeed. In such cases, `SecurityIdentity` created by the first mechanism, mTLS, can be injected, identities created by other mechanisms will be available on `SecurityIdentity`. The identities can be retrieved using utility method as in the example below:
+
+```
+```
+
+`io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getSecurityIdentities(securityIdentity)`
+
+This property is false by default which means that the authentication process is complete as soon as the first `SecurityIdentity` is created.
+
+This property will be ignored if the path specific authentication is enabled.
+
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_AUTH_INCLUSIVE+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_HTTP_AUTH_INCLUSIVE+++`
+endif::add-copy-button-to-env-var[]
+--
+|boolean
+|`false`
+
 a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-ssl-client-auth]] [.property-path]##`quarkus.http.ssl.client-auth`##
 
 [.description]

_generated-doc/main/config/quarkus-websockets-next.adoc

@@ -86,7 +86,9 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-client-unhandled-failure-st
 --
 The strategy used when an error occurs but no error handler can handle the failure.
 
-By default, the connection is closed when an unhandled failure occurs.
+By default, the error message is logged when an unhandled failure occurs.
+
+Note that clients should not close the WebSocket connection arbitrarily. See also RFC-6455 link:https://datatracker.ietf.org/doc/html/rfc6455#section-7.3[section 7.3].
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -96,8 +98,8 @@ ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_CLIENT_UNHANDLED_FAILURE_STRATEGY+++`
 endif::add-copy-button-to-env-var[]
 --
-a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.]
-|tooltip:close[Close the connection.]
+a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.]
+|tooltip:log[Log the error message.]
 
 a| [[quarkus-websockets-next_quarkus-websockets-next-client-tls-configuration-name]] [.property-path]##`quarkus.websockets-next.client.tls-configuration-name`##
 
@@ -249,7 +251,7 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-server-unhandled-failure-st
 --
 The strategy used when an error occurs but no error handler can handle the failure.
 
-By default, the connection is closed when an unhandled failure occurs.
+By default, the error message is logged and the connection is closed when an unhandled failure occurs.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -259,8 +261,8 @@ ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_SERVER_UNHANDLED_FAILURE_STRATEGY+++`
 endif::add-copy-button-to-env-var[]
 --
-a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.]
-|tooltip:close[Close the connection.]
+a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.]
+|tooltip:log-and-close[Log the error message and close the connection.]
 
 a| [[quarkus-websockets-next_quarkus-websockets-next-server-security-auth-failure-redirect-url]] [.property-path]##`quarkus.websockets-next.server.security.auth-failure-redirect-url`##
 

_generated-doc/main/config/quarkus-websockets-next_quarkus.websockets-next.adoc

@@ -86,7 +86,9 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-client-unhandled-failure-st
 --
 The strategy used when an error occurs but no error handler can handle the failure.
 
-By default, the connection is closed when an unhandled failure occurs.
+By default, the error message is logged when an unhandled failure occurs.
+
+Note that clients should not close the WebSocket connection arbitrarily. See also RFC-6455 link:https://datatracker.ietf.org/doc/html/rfc6455#section-7.3[section 7.3].
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -96,8 +98,8 @@ ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_CLIENT_UNHANDLED_FAILURE_STRATEGY+++`
 endif::add-copy-button-to-env-var[]
 --
-a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.]
-|tooltip:close[Close the connection.]
+a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.]
+|tooltip:log[Log the error message.]
 
 a| [[quarkus-websockets-next_quarkus-websockets-next-client-tls-configuration-name]] [.property-path]##`quarkus.websockets-next.client.tls-configuration-name`##
 
@@ -249,7 +251,7 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-server-unhandled-failure-st
 --
 The strategy used when an error occurs but no error handler can handle the failure.
 
-By default, the connection is closed when an unhandled failure occurs.
+By default, the error message is logged and the connection is closed when an unhandled failure occurs.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -259,8 +261,8 @@ ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_SERVER_UNHANDLED_FAILURE_STRATEGY+++`
 endif::add-copy-button-to-env-var[]
 --
-a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.]
-|tooltip:close[Close the connection.]
+a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.]
+|tooltip:log-and-close[Log the error message and close the connection.]
 
 a| [[quarkus-websockets-next_quarkus-websockets-next-server-security-auth-failure-redirect-url]] [.property-path]##`quarkus.websockets-next.server.security.auth-failure-redirect-url`##
 

_versions/main/guides/_attributes.adoc

@@ -9,7 +9,7 @@
 :graalvm-docs-version: jdk21
 :graalvm-flavor: jdk-21
 :mandrel-flavor: jdk-21
-:surefire-version: 3.4.0
+:surefire-version: 3.5.0
 :gradle-version: 8.9
 :elasticsearch-version: 8.15.0
 :elasticsearch-image: docker.io/elastic/elasticsearch:8.15.0

_versions/main/guides/cdi-integration.adoc

@@ -323,6 +323,24 @@ SyntheticBeanBuildItem syntheticBean(TestRecorder recorder) {
 <1> By default, a synthetic bean is initialized during `STATIC_INIT`.
 <2> The bean instance is supplied by a value returned from a recorder method.
 
+It is also possible to create a generic synthetic bean `Foo<Bar>`.
+
+.`SyntheticBeanBuildItem` Example 3
+[source,java]
+----
+@BuildStep
+@Record(STATIC_INIT)
+SyntheticBeanBuildItem syntheticBean(TestRecorder recorder) {
+   return SyntheticBeanBuildItem.configure(Foo.class)
+                .types(ParameterizedType.create(Foo.class, ClassType.create(Bar.class)))) <1>
+                .scope(Singleton.class)
+                .runtimeValue(recorder.createFooBar())
+                .done();
+}
+----
+
+<1> `types()` or `addType()` must be used to specify the generic type.
+
 It is possible to mark a synthetic bean to be initialized during `RUNTIME_INIT`.
 See the <<writing-extensions.adoc#bootstrap-three-phases,Three Phases of Bootstrap and Quarkus Philosophy>> for more information about the difference between `STATIC_INIT` and `RUNTIME_INIT`.
 

_versions/main/guides/gradle-tooling.adoc

@@ -828,15 +828,15 @@ The current state of compatibility is shown in the following table:
 |`quarkusAppPartsBuild`|✅
 |`quarkusShowEffectiveConfig`|✅
 |`quarkusBuild`|✅
+|`imageBuild`|✅
+|`imagePush`|✅
 |`quarkusDev`|❌
 |`quarkusRun`|❌
 |`quarkusRemoteDev`|❌
 |`quarkusTest`|❌
 |`quarkusGoOffline`|❌
 |`quarkusInfo`|❌
 |`quarkusUpdate`|❌
-|`imageBuild`|❌
-|`imagePush`|❌
 |`deploy`|❌
 |`listExtensions`|❌
 |`listCategories`|❌

_versions/main/guides/native-reference.adoc

@@ -602,7 +602,7 @@ For example:
 ----
 $ ./mvnw verify -DskipITs=false -Dquarkus.test.integration-test-profile=test-with-native-agent
 ...
-[INFO] --- failsafe:3.4.0:integration-test (default) @ new-project ---
+[INFO] --- failsafe:3.5.0:integration-test (default) @ new-project ---
 ...
 [INFO] -------------------------------------------------------
 [INFO]  T E S T S

_versions/main/guides/security-authentication-mechanisms.adoc

@@ -584,6 +584,70 @@ ifndef::no-quarkus-elytron-security-oauth2[ ^|Yes]
 If different sources provide the user credentials, you can combine authentication mechanisms.
 For example, you can combine the built-in Basic and the Quarkus `quarkus-oidc` Bearer token authentication mechanisms.
 
+The authentication process completes as soon as the first `SecurityIdentity` is produced by one of the authentication mechanisms.
+
+In some cases it can be required that all registered authentication mechanisms create their `SecurityIdentity`.
+It can be required when the credentials such as tokens have to be passed over <<mutual-tls>>,
+for example, when users are authenticating via `Virtual Private Network`, or when the current token has to be bound
+to the client certificate for the token verification to succeed, guaranteeing that the token was issued exactly
+to the same client which is currently passing this token to Quarkus alongside its client certificate.
+
+In Quarkus such authentication is called `inclusive` and you can enable it like this:
+
+[source,properties]
+----
+quarkus.http.auth.inclusive=true
+----
+
+If the authentication is inclusive then `SecurityIdentity` created by the first authentication mechanism can be
+injected into the application code.
+For example, if both <<mutual-tls>> and basic authentication mechanism authentications are required,
+the <<mutual-tls>> authentication mechanism will create `SecurityIdentity` first.
+
+Additional `SecurityIdentity` instances can be accessed as a `quarkus.security.identities` attribute on the first
+`SecurityIdentity`, however, accessing these extra identities directly may not be necessary, for example,
+when both <<mutual-tls>> and xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication] mechanisms
+have been combined and done their authentications, the authenticated bearer token can be injected as a token
+credential alongside `SecurityIdentity` created by <<mutual-tls>>. This is exemplified below:
+
+[source,java]
+----
+package org.acme.security;
+
+import io.quarkus.oidc.AccessTokenCredential;
+import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+
+@ApplicationScoped
+public class InclusiveAuthExampleBean {
+
+    @Inject
+    SecurityIdentity mtlsIdentity;  <1>
+
+    @Inject
+    AccessTokenCredential accessTokenCredential;
+
+    private AccessTokenCredential getAccessTokenCredential() {
+        if (doItHardWay()) {
+            var securityIdentities = HttpSecurityUtils.getSecurityIdentities(mtlsIdentity);    <2>
+            if (securityIdentities != null) {
+                SecurityIdentity bearerIdentity = securityIdentities.get(OidcConstants.BEARER_SCHEME);
+                if (bearerIdentity != null) {
+                    return bearerIdentity.getCredential(AccessTokenCredential.class);
+                }
+            }
+        }
+        return accessTokenCredential;
+    }
+
+}
+----
+<1> This is the `SecurityIdentity` created by applicable authentication mechanism with the highest priority.
+<2> Other applicable authentication mechanisms performed authentication and are available on the `SecurityIdentity`.
+
 [IMPORTANT]
 ====
 You cannot combine the Quarkus `quarkus-oidc` Bearer token and `smallrye-jwt` authentication mechanisms because both mechanisms attempt to verify the token extracted from the HTTP Bearer token authentication scheme.

_versions/main/guides/websockets-next-reference.adoc

@@ -424,8 +424,8 @@ The method that declares a most-specific supertype of the actual exception is se
 NOTE: The `@io.quarkus.websockets.next.OnError` annotation can be also used to declare a global error handler, i.e. a method that is not declared on a WebSocket endpoint. Such a method may not accept `@PathParam` paremeters. Error handlers declared on an endpoint take precedence over the global error handlers.
 
 When an error occurs but no error handler can handle the failure, Quarkus uses the strategy specified by `quarkus.websockets-next.server.unhandled-failure-strategy`.
-By default, the connection is closed.
-Alternatively, an error message can be logged or no operation performed.
+For server endpoints, the error message is logged and the connection is closed by default.
+For client endpoints, the error message is logged by default.
 
 [[serialization]]
 === Serialization and deserialization