diff --git a/_generated-doc/main/config/quarkus-all-config.adoc b/_generated-doc/main/config/quarkus-all-config.adoc index 8b2fd64a0d..8734bfdff8 100644 --- a/_generated-doc/main/config/quarkus-all-config.adoc +++ b/_generated-doc/main/config/quarkus-all-config.adoc @@ -8755,6 +8755,34 @@ endif::add-copy-button-to-env-var[] |boolean |`true` +a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-auth-inclusive]] [.property-path]##`quarkus.http.auth.inclusive`## + +[.description] +-- +Require that all registered HTTP authentication mechanisms must complete the authentication. + +Typically, this property has to be true when the credentials are carried over mTLS, when both mTLS and another authentication, for example, OIDC bearer token authentication, must succeed. In such cases, `SecurityIdentity` created by the first mechanism, mTLS, can be injected, identities created by other mechanisms will be available on `SecurityIdentity`. The identities can be retrieved using utility method as in the example below: + +``` +``` + +`io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getSecurityIdentities(securityIdentity)` + +This property is false by default which means that the authentication process is complete as soon as the first `SecurityIdentity` is created. + +This property will be ignored if the path specific authentication is enabled. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_AUTH_INCLUSIVE+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_HTTP_AUTH_INCLUSIVE+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-ssl-client-auth]] [.property-path]##`quarkus.http.ssl.client-auth`## [.description] @@ -68233,7 +68261,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT_CAPTURE_STACKTRACE+++` endif::add-copy-button-to-env-var[] -- |boolean -|`true` +|`false` a| [[quarkus-rest-client-config_quarkus-rest-client-logging-scope]] [.property-path]##`quarkus.rest-client.logging.scope`## @@ -76699,7 +76727,9 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-client-unhandled-failure-st -- The strategy used when an error occurs but no error handler can handle the failure. -By default, the connection is closed when an unhandled failure occurs. +By default, the error message is logged when an unhandled failure occurs. + +Note that clients should not close the WebSocket connection arbitrarily. See also RFC-6455 link:https://datatracker.ietf.org/doc/html/rfc6455#section-7.3[section 7.3]. ifdef::add-copy-button-to-env-var[] @@ -76709,8 +76739,8 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_CLIENT_UNHANDLED_FAILURE_STRATEGY+++` endif::add-copy-button-to-env-var[] -- -a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.] -|tooltip:close[Close the connection.] +a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.] +|tooltip:log[Log the error message.] a| [[quarkus-websockets-next_quarkus-websockets-next-client-tls-configuration-name]] [.property-path]##`quarkus.websockets-next.client.tls-configuration-name`## @@ -76862,7 +76892,7 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-server-unhandled-failure-st -- The strategy used when an error occurs but no error handler can handle the failure. -By default, the connection is closed when an unhandled failure occurs. +By default, the error message is logged and the connection is closed when an unhandled failure occurs. ifdef::add-copy-button-to-env-var[] @@ -76872,8 +76902,8 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_SERVER_UNHANDLED_FAILURE_STRATEGY+++` endif::add-copy-button-to-env-var[] -- -a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.] -|tooltip:close[Close the connection.] +a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.] +|tooltip:log-and-close[Log the error message and close the connection.] a| [[quarkus-websockets-next_quarkus-websockets-next-server-security-auth-failure-redirect-url]] [.property-path]##`quarkus.websockets-next.server.security.auth-failure-redirect-url`## diff --git a/_generated-doc/main/config/quarkus-rest-client-config.adoc b/_generated-doc/main/config/quarkus-rest-client-config.adoc index 2e827df22c..df4f864a5a 100644 --- a/_generated-doc/main/config/quarkus-rest-client-config.adoc +++ b/_generated-doc/main/config/quarkus-rest-client-config.adoc @@ -607,7 +607,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT_CAPTURE_STACKTRACE+++` endif::add-copy-button-to-env-var[] -- |boolean -|`true` +|`false` a| [[quarkus-rest-client-config_quarkus-rest-client-logging-scope]] [.property-path]##`quarkus.rest-client.logging.scope`## diff --git a/_generated-doc/main/config/quarkus-rest-client-config_quarkus.rest-client.adoc b/_generated-doc/main/config/quarkus-rest-client-config_quarkus.rest-client.adoc index 2e827df22c..df4f864a5a 100644 --- a/_generated-doc/main/config/quarkus-rest-client-config_quarkus.rest-client.adoc +++ b/_generated-doc/main/config/quarkus-rest-client-config_quarkus.rest-client.adoc @@ -607,7 +607,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT_CAPTURE_STACKTRACE+++` endif::add-copy-button-to-env-var[] -- |boolean -|`true` +|`false` a| [[quarkus-rest-client-config_quarkus-rest-client-logging-scope]] [.property-path]##`quarkus.rest-client.logging.scope`## diff --git a/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc b/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc index b4105b680e..f17eb8c4aa 100644 --- a/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc +++ b/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc @@ -93,6 +93,34 @@ endif::add-copy-button-to-env-var[] |boolean |`true` +a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-auth-inclusive]] [.property-path]##`quarkus.http.auth.inclusive`## + +[.description] +-- +Require that all registered HTTP authentication mechanisms must complete the authentication. + +Typically, this property has to be true when the credentials are carried over mTLS, when both mTLS and another authentication, for example, OIDC bearer token authentication, must succeed. In such cases, `SecurityIdentity` created by the first mechanism, mTLS, can be injected, identities created by other mechanisms will be available on `SecurityIdentity`. The identities can be retrieved using utility method as in the example below: + +``` +``` + +`io.quarkus.vertx.http.runtime.security.HttpSecurityUtils.getSecurityIdentities(securityIdentity)` + +This property is false by default which means that the authentication process is complete as soon as the first `SecurityIdentity` is created. + +This property will be ignored if the path specific authentication is enabled. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_AUTH_INCLUSIVE+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_HTTP_AUTH_INCLUSIVE+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + a|icon:lock[title=Fixed at build time] [[quarkus-vertx-http_quarkus-http-ssl-client-auth]] [.property-path]##`quarkus.http.ssl.client-auth`## [.description] diff --git a/_generated-doc/main/config/quarkus-websockets-next.adoc b/_generated-doc/main/config/quarkus-websockets-next.adoc index 97d3b4dbff..40576d5849 100644 --- a/_generated-doc/main/config/quarkus-websockets-next.adoc +++ b/_generated-doc/main/config/quarkus-websockets-next.adoc @@ -86,7 +86,9 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-client-unhandled-failure-st -- The strategy used when an error occurs but no error handler can handle the failure. -By default, the connection is closed when an unhandled failure occurs. +By default, the error message is logged when an unhandled failure occurs. + +Note that clients should not close the WebSocket connection arbitrarily. See also RFC-6455 link:https://datatracker.ietf.org/doc/html/rfc6455#section-7.3[section 7.3]. ifdef::add-copy-button-to-env-var[] @@ -96,8 +98,8 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_CLIENT_UNHANDLED_FAILURE_STRATEGY+++` endif::add-copy-button-to-env-var[] -- -a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.] -|tooltip:close[Close the connection.] +a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.] +|tooltip:log[Log the error message.] a| [[quarkus-websockets-next_quarkus-websockets-next-client-tls-configuration-name]] [.property-path]##`quarkus.websockets-next.client.tls-configuration-name`## @@ -249,7 +251,7 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-server-unhandled-failure-st -- The strategy used when an error occurs but no error handler can handle the failure. -By default, the connection is closed when an unhandled failure occurs. +By default, the error message is logged and the connection is closed when an unhandled failure occurs. ifdef::add-copy-button-to-env-var[] @@ -259,8 +261,8 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_SERVER_UNHANDLED_FAILURE_STRATEGY+++` endif::add-copy-button-to-env-var[] -- -a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.] -|tooltip:close[Close the connection.] +a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.] +|tooltip:log-and-close[Log the error message and close the connection.] a| [[quarkus-websockets-next_quarkus-websockets-next-server-security-auth-failure-redirect-url]] [.property-path]##`quarkus.websockets-next.server.security.auth-failure-redirect-url`## diff --git a/_generated-doc/main/config/quarkus-websockets-next_quarkus.websockets-next.adoc b/_generated-doc/main/config/quarkus-websockets-next_quarkus.websockets-next.adoc index 97d3b4dbff..40576d5849 100644 --- a/_generated-doc/main/config/quarkus-websockets-next_quarkus.websockets-next.adoc +++ b/_generated-doc/main/config/quarkus-websockets-next_quarkus.websockets-next.adoc @@ -86,7 +86,9 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-client-unhandled-failure-st -- The strategy used when an error occurs but no error handler can handle the failure. -By default, the connection is closed when an unhandled failure occurs. +By default, the error message is logged when an unhandled failure occurs. + +Note that clients should not close the WebSocket connection arbitrarily. See also RFC-6455 link:https://datatracker.ietf.org/doc/html/rfc6455#section-7.3[section 7.3]. ifdef::add-copy-button-to-env-var[] @@ -96,8 +98,8 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_CLIENT_UNHANDLED_FAILURE_STRATEGY+++` endif::add-copy-button-to-env-var[] -- -a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.] -|tooltip:close[Close the connection.] +a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.] +|tooltip:log[Log the error message.] a| [[quarkus-websockets-next_quarkus-websockets-next-client-tls-configuration-name]] [.property-path]##`quarkus.websockets-next.client.tls-configuration-name`## @@ -249,7 +251,7 @@ a| [[quarkus-websockets-next_quarkus-websockets-next-server-unhandled-failure-st -- The strategy used when an error occurs but no error handler can handle the failure. -By default, the connection is closed when an unhandled failure occurs. +By default, the error message is logged and the connection is closed when an unhandled failure occurs. ifdef::add-copy-button-to-env-var[] @@ -259,8 +261,8 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_WEBSOCKETS_NEXT_SERVER_UNHANDLED_FAILURE_STRATEGY+++` endif::add-copy-button-to-env-var[] -- -a|tooltip:close[Close the connection.], tooltip:log[Log an error message.], tooltip:noop[No operation.] -|tooltip:close[Close the connection.] +a|tooltip:log-and-close[Log the error message and close the connection.], tooltip:close[Close the connection silently.], tooltip:log[Log the error message.], tooltip:noop[No operation.] +|tooltip:log-and-close[Log the error message and close the connection.] a| [[quarkus-websockets-next_quarkus-websockets-next-server-security-auth-failure-redirect-url]] [.property-path]##`quarkus.websockets-next.server.security.auth-failure-redirect-url`## diff --git a/_versions/main/guides/_attributes.adoc b/_versions/main/guides/_attributes.adoc index 7ad9b6fd01..f242cb118b 100644 --- a/_versions/main/guides/_attributes.adoc +++ b/_versions/main/guides/_attributes.adoc @@ -9,7 +9,7 @@ :graalvm-docs-version: jdk21 :graalvm-flavor: jdk-21 :mandrel-flavor: jdk-21 -:surefire-version: 3.4.0 +:surefire-version: 3.5.0 :gradle-version: 8.9 :elasticsearch-version: 8.15.0 :elasticsearch-image: docker.io/elastic/elasticsearch:8.15.0 diff --git a/_versions/main/guides/cdi-integration.adoc b/_versions/main/guides/cdi-integration.adoc index 4c9233e24f..39920b6516 100644 --- a/_versions/main/guides/cdi-integration.adoc +++ b/_versions/main/guides/cdi-integration.adoc @@ -323,6 +323,24 @@ SyntheticBeanBuildItem syntheticBean(TestRecorder recorder) { <1> By default, a synthetic bean is initialized during `STATIC_INIT`. <2> The bean instance is supplied by a value returned from a recorder method. +It is also possible to create a generic synthetic bean `Foo`. + +.`SyntheticBeanBuildItem` Example 3 +[source,java] +---- +@BuildStep +@Record(STATIC_INIT) +SyntheticBeanBuildItem syntheticBean(TestRecorder recorder) { + return SyntheticBeanBuildItem.configure(Foo.class) + .types(ParameterizedType.create(Foo.class, ClassType.create(Bar.class)))) <1> + .scope(Singleton.class) + .runtimeValue(recorder.createFooBar()) + .done(); +} +---- + +<1> `types()` or `addType()` must be used to specify the generic type. + It is possible to mark a synthetic bean to be initialized during `RUNTIME_INIT`. See the <> for more information about the difference between `STATIC_INIT` and `RUNTIME_INIT`. diff --git a/_versions/main/guides/gradle-tooling.adoc b/_versions/main/guides/gradle-tooling.adoc index d0b607b1df..0ba1a19ae1 100644 --- a/_versions/main/guides/gradle-tooling.adoc +++ b/_versions/main/guides/gradle-tooling.adoc @@ -828,6 +828,8 @@ The current state of compatibility is shown in the following table: |`quarkusAppPartsBuild`|✅ |`quarkusShowEffectiveConfig`|✅ |`quarkusBuild`|✅ +|`imageBuild`|✅ +|`imagePush`|✅ |`quarkusDev`|❌ |`quarkusRun`|❌ |`quarkusRemoteDev`|❌ @@ -835,8 +837,6 @@ The current state of compatibility is shown in the following table: |`quarkusGoOffline`|❌ |`quarkusInfo`|❌ |`quarkusUpdate`|❌ -|`imageBuild`|❌ -|`imagePush`|❌ |`deploy`|❌ |`listExtensions`|❌ |`listCategories`|❌ diff --git a/_versions/main/guides/native-reference.adoc b/_versions/main/guides/native-reference.adoc index 26671b71d9..f2ae15a6ae 100644 --- a/_versions/main/guides/native-reference.adoc +++ b/_versions/main/guides/native-reference.adoc @@ -602,7 +602,7 @@ For example: ---- $ ./mvnw verify -DskipITs=false -Dquarkus.test.integration-test-profile=test-with-native-agent ... -[INFO] --- failsafe:3.4.0:integration-test (default) @ new-project --- +[INFO] --- failsafe:3.5.0:integration-test (default) @ new-project --- ... [INFO] ------------------------------------------------------- [INFO] T E S T S diff --git a/_versions/main/guides/security-authentication-mechanisms.adoc b/_versions/main/guides/security-authentication-mechanisms.adoc index 4ff538208f..73dc068a08 100644 --- a/_versions/main/guides/security-authentication-mechanisms.adoc +++ b/_versions/main/guides/security-authentication-mechanisms.adoc @@ -584,6 +584,70 @@ ifndef::no-quarkus-elytron-security-oauth2[ ^|Yes] If different sources provide the user credentials, you can combine authentication mechanisms. For example, you can combine the built-in Basic and the Quarkus `quarkus-oidc` Bearer token authentication mechanisms. +The authentication process completes as soon as the first `SecurityIdentity` is produced by one of the authentication mechanisms. + +In some cases it can be required that all registered authentication mechanisms create their `SecurityIdentity`. +It can be required when the credentials such as tokens have to be passed over <>, +for example, when users are authenticating via `Virtual Private Network`, or when the current token has to be bound +to the client certificate for the token verification to succeed, guaranteeing that the token was issued exactly +to the same client which is currently passing this token to Quarkus alongside its client certificate. + +In Quarkus such authentication is called `inclusive` and you can enable it like this: + +[source,properties] +---- +quarkus.http.auth.inclusive=true +---- + +If the authentication is inclusive then `SecurityIdentity` created by the first authentication mechanism can be +injected into the application code. +For example, if both <> and basic authentication mechanism authentications are required, +the <> authentication mechanism will create `SecurityIdentity` first. + +Additional `SecurityIdentity` instances can be accessed as a `quarkus.security.identities` attribute on the first +`SecurityIdentity`, however, accessing these extra identities directly may not be necessary, for example, +when both <> and xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer authentication] mechanisms +have been combined and done their authentications, the authenticated bearer token can be injected as a token +credential alongside `SecurityIdentity` created by <>. This is exemplified below: + +[source,java] +---- +package org.acme.security; + +import io.quarkus.oidc.AccessTokenCredential; +import io.quarkus.oidc.common.runtime.OidcConstants; +import io.quarkus.security.identity.SecurityIdentity; +import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils; +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; + +@ApplicationScoped +public class InclusiveAuthExampleBean { + + @Inject + SecurityIdentity mtlsIdentity; <1> + + @Inject + AccessTokenCredential accessTokenCredential; + + private AccessTokenCredential getAccessTokenCredential() { + if (doItHardWay()) { + var securityIdentities = HttpSecurityUtils.getSecurityIdentities(mtlsIdentity); <2> + if (securityIdentities != null) { + SecurityIdentity bearerIdentity = securityIdentities.get(OidcConstants.BEARER_SCHEME); + if (bearerIdentity != null) { + return bearerIdentity.getCredential(AccessTokenCredential.class); + } + } + } + return accessTokenCredential; + } + +} +---- +<1> This is the `SecurityIdentity` created by applicable authentication mechanism with the highest priority. +<2> Other applicable authentication mechanisms performed authentication and are available on the `SecurityIdentity`. + [IMPORTANT] ==== You cannot combine the Quarkus `quarkus-oidc` Bearer token and `smallrye-jwt` authentication mechanisms because both mechanisms attempt to verify the token extracted from the HTTP Bearer token authentication scheme. diff --git a/_versions/main/guides/websockets-next-reference.adoc b/_versions/main/guides/websockets-next-reference.adoc index 779057a83e..37aa9ce172 100644 --- a/_versions/main/guides/websockets-next-reference.adoc +++ b/_versions/main/guides/websockets-next-reference.adoc @@ -424,8 +424,8 @@ The method that declares a most-specific supertype of the actual exception is se NOTE: The `@io.quarkus.websockets.next.OnError` annotation can be also used to declare a global error handler, i.e. a method that is not declared on a WebSocket endpoint. Such a method may not accept `@PathParam` paremeters. Error handlers declared on an endpoint take precedence over the global error handlers. When an error occurs but no error handler can handle the failure, Quarkus uses the strategy specified by `quarkus.websockets-next.server.unhandled-failure-strategy`. -By default, the connection is closed. -Alternatively, an error message can be logged or no operation performed. +For server endpoints, the error message is logged and the connection is closed by default. +For client endpoints, the error message is logged by default. [[serialization]] === Serialization and deserialization