Skip to content

Commit

Permalink
Conditionalize content in upstream Quarkus repository for the 3.8.nex…
Browse files Browse the repository at this point in the history 
…t product release #39954
  • Loading branch information
@rolfedh
rolfedh committed Apr 11, 2024
1 parent 051e910 commit c953567
Show file tree
Hide file tree
Showing 13 changed files with 131 additions and 38 deletions.
10 changes: 10 additions & 0 deletions docs/src/main/asciidoc/datasource.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,9 @@ For more information about pool size adjustment properties, see the <<jdbc-confi

. Add the correct reactive extension for the database of your choice.

ifndef::quarkus-reactive-db2-client[]
* `quarkus-reactive-db2-client`
endif::quarkus-reactive-db2-client[]
* `quarkus-reactive-mssql-client`
* `quarkus-reactive-mysql-client`
* `quarkus-reactive-oracle-client`
Expand Down Expand Up @@ -300,7 +302,9 @@ Quarkus offers several reactive clients for use with a reactive datasource.

. Add the corresponding extension to your application:
+
ifndef::quarkus-reactive-db2-client[]
* DB2: `quarkus-reactive-db2-client`
endif::quarkus-reactive-db2-client[]
* MariaDB/MySQL: `quarkus-reactive-mysql-client`
* Microsoft SQL Server: `quarkus-reactive-mssql-client`
* Oracle: `quarkus-reactive-oracle-client`
Expand Down Expand Up @@ -592,6 +596,7 @@ However, the Quarkus Derby extension allows native compilation of the Derby JDBC
* Embedding H2 within your native image is not recommended.

Check warning on line 596 in docs/src/main/asciidoc/datasource.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsSuggestions] Depending on the context, consider using 'by using' or 'that uses' rather than 'using'.

Raw Output:
{"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using 'by using' or 'that uses' rather than 'using'.", "location": {"path": "docs/src/main/asciidoc/datasource.adoc", "range": {"start": {"line": 596, "column": 59}}}, "severity": "INFO"}
Consider using an alternative approach, for example, using a remote connection to a separate database instead.

ifndef::deprecated-test-resource[]
==== Run an integration test

. Add a dependency on the artifacts providing the additional tools that are under the following Maven coordinates:
Expand Down Expand Up @@ -628,6 +633,7 @@ public class TestResources {
quarkus.datasource.db-kind=h2
quarkus.datasource.jdbc.url=jdbc:h2:tcp://localhost/mem:test
----
endif::deprecated-test-resource[]

[[datasource-reference]]
== References
Expand Down Expand Up @@ -820,9 +826,11 @@ a|* JDBC: `org.postgresql.Driver`
|`reactive-pg-client`
|`io.vertx.pgclient.spi.PgDriver`

ifndef::quarkus-reactive-db2-client[]
|`db2`
|`reactive-db2-client`
|`io.vertx.db2client.spi.DB2Driver`
endif::quarkus-reactive-db2-client[]
|===

[TIP]
Expand All @@ -836,9 +844,11 @@ This automatic resolution is applicable in most cases so that driver configurati

include::{generated-dir}/config/quarkus-reactive-datasource.adoc[opts=optional, leveloffset=+1]

ifndef::quarkus-reactive-db2-client[]
==== Reactive DB2 configuration

include::{generated-dir}/config/quarkus-reactive-db2-client.adoc[opts=optional, leveloffset=+1]
endif::quarkus-reactive-db2-client[]

==== Reactive MariaDB/MySQL specific configuration

Expand Down
83 changes: 60 additions & 23 deletions docs/src/main/asciidoc/security-authentication-mechanisms.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,10 @@ The following table maps specific authentication requirements to a supported mec

|Username and password |xref:security-basic-authentication.adoc[Basic], <<form-auth>>

|Bearer access token |xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication], xref:security-jwt.adoc[JWT], xref:security-oauth2.adoc[OAuth2]
|Bearer access token |xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication], xref:security-jwt.adoc[JWT]
ifndef::quarkus-elytron-security-oauth2[]
, xref:security-oauth2.adoc[OAuth2]
endif::quarkus-elytron-security-oauth2[]

|Single sign-on (SSO) |xref:security-oidc-code-flow-authentication.adoc[OIDC Code Flow], <<form-auth>>

Expand Down Expand Up @@ -96,7 +99,7 @@ quarkus.http.auth.form.error-page=
# Define testing user
quarkus.security.users.embedded.enabled=true
quarkus.security.users.embedded.plain-text=true
quarkus.security.users.embedded.users.alice=alice
quarkus.security.users.embedded.users.alice=alice
quarkus.security.users.embedded.roles.alice=user
----

Expand Down Expand Up @@ -315,7 +318,9 @@ Quarkus Security also supports the following authentication mechanisms through e
* <<webauthn-authentication>>
* <<openid-connect-authentication>>
* <<smallrye-jwt-authentication>>
ifndef::quarkus-elytron-security-oauth2[]
* <<oauth2-authentication>>
endif::quarkus-elytron-security-oauth2[]

[[webauthn-authentication]]
=== WebAuthn authentication
Expand Down Expand Up @@ -357,7 +362,9 @@ For more information about OIDC authentication and authorization methods that yo
|Multiple tenants that can support the Bearer token authentication or Authorization Code Flow mechanisms|xref:security-openid-connect-multitenancy.adoc[Using OpenID Connect (OIDC) multi-tenancy]
|Securing Quarkus with commonly used OpenID Connect providers|xref:security-openid-connect-providers.adoc[Configuring well-known OpenID Connect providers]
|Using Keycloak to centralize authorization |xref:security-keycloak-authorization.adoc[Using OpenID Connect (OIDC) and Keycloak to centralize authorization]
ifndef::quarkus-keycloak-admin-client[]
|Configuring Keycloak programmatically |xref:security-keycloak-admin-client.adoc[Using the Keycloak admin client]
endif::quarkus-keycloak-admin-client[]
|====

[NOTE]
Expand Down Expand Up @@ -404,13 +411,15 @@ It represents them as `org.eclipse.microprofile.jwt.JsonWebToken`.

For more information, see the xref:security-jwt.adoc[Using JWT RBAC] guide.

ifndef::quarkus-elytron-security-oauth2[]
[[oauth2-authentication]]
=== OAuth2 authentication

`quarkus-elytron-security-oauth2` provides an alternative to the Quarkus `quarkus-oidc` Bearer token authentication mechanism extension.
`quarkus-elytron-security-oauth2` is based on `Elytron` and is primarily intended for introspecting opaque tokens remotely.

For more information, see the Quarkus xref:security-oauth2.adoc[Using OAuth2] guide.
endif::quarkus-elytron-security-oauth2[]

[[oidc-jwt-oauth2-comparison]]
== Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms
Expand All @@ -425,13 +434,17 @@ In both cases, `quarkus-oidc` requires a connection to the specified OpenID Conn
* If the user authentication requires Authorization Code flow, or you need to support multiple tenants, use `quarkus-oidc`.
`quarkus-oidc` can also request user information by using both Authorization Code Flow and Bearer access tokens.

* If your bearer tokens must be verified, use `quarkus-oidc`, `quarkus-smallrye-jwt`, or `quarkus-elytron-security-oauth2`.
* If your bearer tokens must be verified, use `quarkus-oidc`,
ifndef::quarkus-elytron-security-oauth2[`quarkus-elytron-security-oauth2`, ]
or `quarkus-smallrye-jwt`.

* If your bearer tokens are in a JSON web token (JWT) format, you can use any extensions in the preceding list.
Both `quarkus-oidc` and `quarkus-smallrye-jwt` support refreshing the `JsonWebKey` (JWK) set when the OpenID Connect provider rotates the keys.
Therefore, if remote token introspection must be avoided or is unsupported by the providers, use `quarkus-oidc` or `quarkus-smallrye-jwt` to verify JWT tokens.

* To introspect the JWT tokens remotely, you can use either `quarkus-oidc` or `quarkus-elytron-security-oauth2` because they support verifying the opaque or binary tokens by using remote introspection.
* To introspect the JWT tokens remotely, you can use `quarkus-oidc`
ifndef::quarkus-elytron-security-oauth2[or `quarkus-elytron-security-oauth2`]
for verifying the opaque or binary tokens by using remote introspection.
`quarkus-smallrye-jwt` does not support the remote introspection of both opaque or JWT tokens but instead relies on the locally available keys that are usually retrieved from the OpenID Connect provider.

* `quarkus-oidc` and `quarkus-smallrye-jwt` support the JWT and opaque token injection into the endpoint code.
Expand All @@ -442,9 +455,10 @@ All extensions can have the tokens injected as `Principal`.
`quarkus-oidc` uses only the JWK-formatted keys that are part of a JWK set, whereas `quarkus-smallrye-jwt` supports PEM keys.

* `quarkus-smallrye-jwt` handles locally signed, inner-signed-and-encrypted, and encrypted tokens.
In contrast, although `quarkus-oidc` and `quarkus-elytron-security-oauth2` can also verify such tokens, they treat them as opaque tokens and verify them through remote introspection.
ifndef::quarkus-elytron-security-oauth2[In contrast, although `quarkus-oidc` and `quarkus-elytron-security-oauth2` can also verify such tokens, they treat them as opaque tokens and verify them through remote introspection.]
ifdef::quarkus-elytron-security-oauth2[In contrast, although `quarkus-oidc` can also verify such tokens, it treats them as opaque tokens and verifies them through remote introspection.]

* If you need a lightweight library for the remote introspection of opaque or JWT tokens, use `quarkus-elytron-security-oauth2`.
ifndef::quarkus-elytron-security-oauth2[* If you need a lightweight library for the remote introspection of opaque or JWT tokens, use `quarkus-elytron-security-oauth2`.]

[NOTE]
====
Expand All @@ -457,30 +471,53 @@ Nonetheless, the providers effectively delegate most of the token-associated sta
====

[[table]]
.Token authentication mechanism comparison
.Comparison of features by token authentication mechanism or extension
|===
^|Feature required 3+^| Authentication mechanism
ifndef::quarkus-elytron-security-oauth2[ ^|Feature required 3+^| Authentication mechanism]
ifdef::quarkus-elytron-security-oauth2[ ^|Feature required 2+^| Authentication mechanism]

^| ^s|`quarkus-oidc` ^s|`quarkus-smallrye-jwt` ^s| `quarkus-elytron-security-oauth2`
^| ^s|`quarkus-oidc` ^s|`quarkus-smallrye-jwt`
ifndef::quarkus-elytron-security-oauth2[ ^s|`quarkus-elytron-security-oauth2`]

s|Bearer JWT verification ^|Local verification or introspection ^|Local verification ^|Introspection
s|Bearer JWT verification ^|Local verification or introspection ^|Local verification
ifndef::quarkus-elytron-security-oauth2[ ^|Introspection]

s|Bearer opaque token verification ^|Introspection ^|No ^|Introspection
s|Refreshing `JsonWebKey` set to verify JWT tokens ^|Yes ^|Yes ^|No
s|Represent token as `Principal` ^|Yes ^|Yes ^|Yes
s|Inject JWT as MP JWT ^|Yes ^|Yes ^|No
s|Bearer opaque token verification ^|Introspection ^|No
ifndef::quarkus-elytron-security-oauth2[ ^|Introspection]

s|Authorization code flow ^| Yes ^|No ^|No
s|Multi-tenancy ^| Yes ^|No ^|No
s|User information support ^| Yes ^|No ^|No
s|PEM key format support ^|No ^|Yes ^|No
s|Refreshing `JsonWebKey` set to verify JWT tokens ^|Yes ^|Yes
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|SecretKey support ^|No ^|In JSON Web Key (JWK) format ^|No
s|Inner-signed and encrypted or encrypted tokens ^|Introspection ^|Local verification ^|Introspection
s|Custom token verification ^|No ^|With injected JWT parser ^|No
s|JWT as a cookie support ^|No ^|Yes ^|Yes
|===
s|Represent token as `Principal` ^|Yes ^|Yes
ifndef::quarkus-elytron-security-oauth2[ ^|Yes]

s|Inject JWT as MP JWT ^|Yes ^|Yes
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|Authorization code flow ^| Yes ^|No
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|Multi-tenancy ^| Yes ^|No
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|User information support ^| Yes ^|No
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|PEM key format support ^|No ^|Yes
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|SecretKey support ^|No ^|In JSON Web Key (JWK) format
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|Inner-signed and encrypted or encrypted tokens ^|Introspection ^|Local verification
ifndef::quarkus-elytron-security-oauth2[ ^|Introspection]

s|Custom token verification ^|No ^|With injected JWT parser
ifndef::quarkus-elytron-security-oauth2[ ^|No]

s|JWT as a cookie support ^|No ^|Yes
ifndef::quarkus-elytron-security-oauth2[ ^|Yes]
|===

== Combining authentication mechanisms

Expand Down
5 changes: 5 additions & 0 deletions docs/src/main/asciidoc/security-basic-authentication-howto.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@ Enable xref:security-basic-authentication.adoc[Basic authentication] for your Qu
* You have installed at least one extension that provides an `IdentityProvider` based on username and password.
For example:

ifndef::quarkus-security-jpa-reactive[]
** xref:security-jpa.adoc[Quarkus Security Jakarta Persistence extensions (`security-jpa` or `security-jpa-reactive`)]
endif::quarkus-security-jpa-reactive[]
ifdef::quarkus-security-jpa-reactive[]
** xref:security-jpa.adoc[Quarkus Security Jakarta Persistence extension (`security-jpa`)]
endif::quarkus-security-jpa-reactive[]
** xref:security-properties.adoc[Elytron security properties file extension `(quarkus-elytron-security-properties-file)`]
** xref:security-jdbc.adoc[Elytron security JDBC extension `(quarkus-elytron-security-jdbc)`]

Expand Down
17 changes: 16 additions & 1 deletion docs/src/main/asciidoc/security-getting-started-tutorial.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,20 @@ You can find the solution in the `security-jpa-quickstart` link:{quickstarts-tre

== Create and verify the Maven project

ifndef::quarkus-security-jpa-reactive[]
For Quarkus Security to be able to map your security source to Jakarta Persistence entities, ensure that the Maven project in this tutorial includes the `security-jpa` or `security-jpa-reactive` extension.
endif::quarkus-security-jpa-reactive[]
ifdef::quarkus-security-jpa-reactive[]
For Quarkus Security to be able to map your security source to Jakarta Persistence entities, ensure that the Maven project in this tutorial includes the `security-jpa` extension.
endif::quarkus-security-jpa-reactive[]

[NOTE]
====
xref:hibernate-orm-panache.adoc[Hibernate ORM with Panache] is used to store your user identities, but you can also use xref:hibernate-orm.adoc[Hibernate ORM] with the `security-jpa` extension.
ifndef::quarkus-security-jpa-reactive[]
Both xref:hibernate-reactive.adoc[Hibernate Reactive] and xref:hibernate-reactive-panache.adoc[Hibernate Reactive with Panache] can be used with the `security-jpa-reactive` extension.
endif::quarkus-security-jpa-reactive[]
You must also add your preferred database connector library.
The instructions in this example tutorial use a PostgreSQL database for the identity store.
Expand All @@ -86,12 +94,14 @@ include::{includes}/devtools/create-app.adoc[]
:add-extension-extensions: security-jpa
include::{includes}/devtools/extension-add.adoc[]
====
ifndef::quarkus-security-jpa-reactive[]
** To add the Security Jakarta Persistence extension to an existing Maven project with Hibernate Reactive, run the following command from your project base directory:
+
====
:add-extension-extensions: security-jpa-reactive
include::{includes}/devtools/extension-add.adoc[]
====
endif::quarkus-security-jpa-reactive[]

=== Verify the quarkus-security-jpa dependency

Check warning on line 106 in docs/src/main/asciidoc/security-getting-started-tutorial.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.HeadingPunctuation] Do not use end punctuation in headings.

Raw Output:
{"message": "[Quarkus.HeadingPunctuation] Do not use end punctuation in headings.", "location": {"path": "docs/src/main/asciidoc/security-getting-started-tutorial.adoc", "range": {"start": {"line": 106, "column": 1}}}, "severity": "INFO"}

Expand All @@ -115,6 +125,7 @@ After you have run either of the preceding commands to create the Maven project,
implementation("io.quarkus:quarkus-security-jpa")
----
====
ifndef::quarkus-security-jpa-reactive[]
* To verify the `security-jpa-reactive` extension, check for the following configuration:
+
====
Expand All @@ -133,6 +144,7 @@ implementation("io.quarkus:quarkus-security-jpa")
implementation("io.quarkus:quarkus-security-jpa-reactive")
----
====
endif::quarkus-security-jpa-reactive[]

== Write the application

Expand Down Expand Up @@ -280,12 +292,13 @@ You can configure it to use plain text or custom passwords.
====
Don’t forget to set up the Panache and PostgreSQL JDBC driver, please see xref:hibernate-orm-panache.adoc#setting-up-and-configuring-hibernate-orm-with-panache[Setting up and configuring Hibernate ORM with Panache] for more information.
====

ifndef::quarkus-security-jpa-reactive[]
[NOTE]
====
Hibernate Reactive Panache uses `io.quarkus.hibernate.reactive.panache.PanacheEntity` instead of `io.quarkus.hibernate.orm.panache.PanacheEntity`.
For more information, see link:{quickstarts-tree-url}/security-jpa-reactive-quickstart/src/main/java/org/acme/elytron/security/jpa/reactive/User.java[User file].
====
endif::quarkus-security-jpa-reactive[]

== Configure the application

Expand Down Expand Up @@ -318,6 +331,7 @@ quarkus.hibernate-orm.database.generation=drop-and-create
+
. To initialize the database with users and roles, implement the `Startup` class, as outlined in the following code snippet:

Check warning on line 332 in docs/src/main/asciidoc/security-getting-started-tutorial.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsSuggestions] Depending on the context, consider using 'because' or 'while' rather than 'as'.

Raw Output:
{"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using 'because' or 'while' rather than 'as'.", "location": {"path": "docs/src/main/asciidoc/security-getting-started-tutorial.adoc", "range": {"start": {"line": 332, "column": 83}}}, "severity": "INFO"}

ifndef::quarkus-security-jpa-reactive[]
[NOTE]
====
* The URLs of Reactive datasources that are used by the `security-jpa-reactive` extension are set with the `quarkus.datasource.reactive.url`
Expand All @@ -333,6 +347,7 @@ link:https://hibernate.org/orm/[Hibernate ORM] automatically creates the databas
This approach is suitable for development but is not recommended for production.
Therefore, adjustments are needed in a production environment.
====
endif::quarkus-security-jpa-reactive[]

[source,java]
----
Expand Down
2 changes: 2 additions & 0 deletions docs/src/main/asciidoc/security-oidc-auth0-tutorial.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -887,6 +887,7 @@ Open a browser, access http://localhost:8080/hello and get the name displayed in

To confirm the permission is correctly enforced, change it to `echo.name`: `@PermissionsAllowed("echo.name")`. Clear the browser cache, access http://localhost:8080/hello again and you will get `403` reported by `ApiEchoService`. Now revert it back to `@PermissionsAllowed("echo:name")`.

ifndef::deprecated-test-resource[]
== Integration testing

You have already used OIDC DevUI SPA to login to Auth0 and test the Quarkus endpoint with the access token, updating the endpoint code along the way.
Expand Down Expand Up @@ -1035,6 +1036,7 @@ image::auth0-test-success.png[Auth0 test success]
By the way, if you like, you can run the tests in Continuous mode directly from DevUI:

image::auth0-continuous-testing.png[Auth0 Continuous testing]
endif::deprecated-test-resource[]

[[production-mode]]
== Production mode
Expand Down
7 changes: 5 additions & 2 deletions docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,13 +228,14 @@ docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=ad

For more information, see the Keycloak documentation about link:https://www.keycloak.org/docs/latest/server_admin/index.html#configuring-realms[creating and configuring a new realm].


ifndef::quarkus-keycloak-admin-client[]
[NOTE]
====
If you want to use the Keycloak Admin Client to configure your server from your application, you need to include either the `quarkus-keycloak-admin-rest-client` or the `quarkus-keycloak-admin-resteasy-client` (if the application uses `quarkus-rest-client`) extension.

Check warning on line 234 in docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Fluff] Depending on the context, consider using 'Rewrite the sentence, or use 'must', instead of' rather than 'need to'.

Raw Output:
{"message": "[Quarkus.Fluff] Depending on the context, consider using 'Rewrite the sentence, or use 'must', instead of' rather than 'need to'.", "location": {"path": "docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc", "range": {"start": {"line": 234, "column": 98}}}, "severity": "INFO"}
For more information, see the xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client] guide.
====
endif::quarkus-keycloak-admin-client[]



[[keycloak-dev-mode]]
Expand Down Expand Up @@ -367,4 +368,6 @@ For information about writing integration tests that depend on `Dev Services for
* xref:security-jwt-build.adoc[Sign and encrypt JWT tokens with SmallRye JWT Build]
* xref:security-authentication-mechanisms.adoc#combining-authentication-mechanisms[Combining authentication mechanisms]
* xref:security-overview.adoc[Quarkus Security overview]
ifndef::quarkus-keycloak-admin-client[]
* xref:security-keycloak-admin-client.adoc[Quarkus Keycloak Admin Client]
endif::quarkus-keycloak-admin-client[]
Loading

0 comments on commit c953567

Please sign in to comment.