Sync documentation of main branch

actions-user · actions-user · commit 14129d90c59b · 2025-08-22T02:06:03.000Z
diff --git a/_generated-doc/main/config/quarkus-all-config.adoc b/_generated-doc/main/config/quarkus-all-config.adoc
@@ -16681,7 +16681,7 @@ Environment variable: `+++QUARKUS_HTTP_CORS_ENABLED+++`
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`+++${quarkus.http.cors:false}+++`
+|`+++false+++`
 
 a| [[quarkus-vertx-http_quarkus-http-cors-origins]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-cors-origins[`quarkus.http.cors.origins`]##
 ifdef::add-copy-button-to-config-props[]
diff --git a/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc b/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.adoc
diff --git a/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.cors.adoc b/_generated-doc/main/config/quarkus-vertx-http_quarkus.http.cors.adoc
@@ -26,7 +26,7 @@ Environment variable: `+++QUARKUS_HTTP_CORS_ENABLED+++`
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`+++${quarkus.http.cors:false}+++`
+|`+++false+++`
 
 a| [[quarkus-vertx-http_quarkus-http-cors_quarkus-http-cors-origins]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-cors_quarkus-http-cors-origins[`quarkus.http.cors.origins`]##
 ifdef::add-copy-button-to-config-props[]
diff --git a/_generated-doc/main/infra/quarkus-all-build-items.adoc b/_generated-doc/main/infra/quarkus-all-build-items.adoc
@@ -9500,6 +9500,17 @@ _No Javadoc found_
 
 
 
+a| https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/CsrfBuilderClassBuildItem.java[`io.quarkus.vertx.http.deployment.CsrfBuilderClassBuildItem`, window="_blank"]
+[.description]
+--
+At most one extension can register a CSRF builder used by the HTTP Security fluent API. The builder class must have public no-args constructor.
+-- a|`java.lang.Class<? extends CSRF.Builder> csrfBuilderClass` 
+
+_No Javadoc found_
+
+
+
+
 a| https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/DefaultRouteBuildItem.java[`io.quarkus.vertx.http.deployment.DefaultRouteBuildItem`, window="_blank"]
 [.description]
 --
diff --git a/_versions/main/guides/compose-dev-services.adoc b/_versions/main/guides/compose-dev-services.adoc
@@ -645,6 +645,8 @@ Compose Dev Services won't try to discover any services and will be disabled.
 === Compose Dev Services used for tests
 
 For Quarkus tests, a generated project name in the format `quarkus-devservices-<application-name>-<random-suffix>` is used by default to ensure isolation between test runs and running dev mode services.
+If the top-level name attribute is specified in the Compose file, the project name in the format `<compose-name>-<random-suffix>` is used.
+
 This way, Quarkus tests start a separate copy of the services defined in the compose files.
 For example, when running continuous testing in development mode, tests will have their own isolated set of services.
 
diff --git a/_versions/main/guides/config-yaml.adoc b/_versions/main/guides/config-yaml.adoc
@@ -204,18 +204,17 @@ The values from this file override any values from the regular `application.yaml
 
 The MicroProfile Config specification defines configuration properties as an arbitrary `.`-delimited string.
 However, structured formats such as YAML only support a subset of the possible configuration namespace.
-For example, consider the two configuration properties `quarkus.http.cors` and `quarkus.http.cors.methods`.
+For example, consider the two configuration properties `one.two` and `one.two.three`.
 One property is the prefix of another, so it might not be immediately evident how to specify both keys in your YAML configuration.
 
 This is solved by using `~` as a `null` key to represent any YAML property that is a prefix of another one:
 
 [source,yaml]
 ----
-quarkus:
-  http:
-    cors:
-      ~: true
-      methods: GET,PUT,POST
+one:
+  two:
+    ~: 12
+    three: 123
 ----
 
 YAML `null` keys are not included in the assembly of the configuration property name, allowing them to be used at any level for disambiguating configuration properties.
diff --git a/_versions/main/guides/dev-ui.adoc b/_versions/main/guides/dev-ui.adoc
@@ -397,7 +397,7 @@ To add a tab to the Dev UI settings dialog, produce a `SettingPageBuildItem`:
     @BuildStep(onlyIf = IsLocalDevelopment.class) // <1>
     void createMCPSettingsTab(BuildProducer<SettingPageBuildItem> settingPageProducer) {
 
-        SettingPageBuildItem mcpSettingTab = new SettingPageBuildItem("Dev MCP");// <2>
+        SettingPageBuildItem mcpSettingTab = new SettingPageBuildItem();// <2>
 
         mcpSettingTab.addPage(Page.webComponentPageBuilder() // <3>
                 .title("Dev MCP")// <4>
@@ -438,7 +438,7 @@ To do this, produce a `UnlistedPageBuildItem`:
     @BuildStep(onlyIf = IsLocalDevelopment.class) // <1>
     void createMCPUnlistedPages(BuildProducer<UnlistedPageBuildItem> unlistedPageProducer) {
 
-        UnlistedPageBuildItem mcpOtherPages = new UnlistedPageBuildItem("Dev MCP"); // <2>
+        UnlistedPageBuildItem mcpOtherPages = new UnlistedPageBuildItem(); // <2>
 
         mcpOtherPages.addPage(Page.webComponentPageBuilder() // <3>
                 .title("Tools") // <4>
diff --git a/_versions/main/guides/security-authorize-web-endpoints-reference.adoc b/_versions/main/guides/security-authorize-web-endpoints-reference.adoc
@@ -13,9 +13,6 @@ include::_attributes.adoc[]
 Quarkus incorporates a pluggable web security layer.
 When security is active, the system performs a permission check on all HTTP requests to determine if they should proceed.
 
-Using `@PermitAll` will not open a path if the path is restricted by the `quarkus.http.auth.` configuration.
-To ensure specific paths are accessible, appropriate configurations must be made within the Quarkus security settings.
-
 [NOTE]
 ====
 If you use Jakarta RESTful Web Services, consider using `quarkus.security.jaxrs.deny-unannotated-endpoints` or `quarkus.security.jaxrs.default-roles-allowed` to set default security requirements instead of HTTP path-level matching because annotations can override these properties on an individual endpoint.
@@ -30,6 +27,11 @@ xref:security-customization.adoc#security-identity-customization[Security Identi
 
 Permissions are defined in the Quarkus configuration by permission sets, each specifying a policy for access control.
 
+[NOTE]
+====
+When a security policy's `paths` property contains the most specific path that matches the current request path, it takes precedence over other security policies with matching paths and is said to win.
+====
+
 .{project-name} policies summary
 [options="header"]
 |===
@@ -263,7 +265,7 @@ quarkus.http.auth.permission.public.policy=permit
 Previous examples demonstrated matching all sub-paths when a path concludes with the `$$*$$`
 wildcard.
 
-This wildcard also applies in the middle of a path, representing a single path segment.
+This wildcard can also be applied in the middle of a path, representing a single path segment.
 It cannot be mixed with other path segment characters; thus, path separators always enclose the `$$*$$` wildcard, as seen in the `/public/$$*$$/about-us` path.
 
 When several path patterns correspond to the same request path, the system selects the longest sub-path leading to the `$$*$$` wildcard.
@@ -425,7 +427,7 @@ For more information, see link:https://quarkus.io/blog/path-resolution-in-quarku
 [[map-security-identity-roles]]
 === Map `SecurityIdentity` roles
 
-Winning role-based policy can map the `SecurityIdentity` roles to the deployment-specific roles.
+The winning role-based policy that was chosen to authorize the current request can map `SecurityIdentity` roles to deployment-specific roles.
 These roles are then applicable for endpoint authorization by using the `@RolesAllowed` annotation.
 
 [source,properties]
@@ -466,7 +468,7 @@ public class HttpSecurityConfiguration {
 === Shared permission checks
 
 One important rule for unshared permission checks is that only one path match is applied, the most specific one.
-Naturally you can specify as many permissions with the same winning path as you want and they will all be applied.
+When a path matches as the most specific, you can specify multiple permissions for that path and they are all applied.
 However, there can be permission checks you want to apply to many paths without repeating them over and over again.
 That's where shared permission checks come in, they are always applied when the permission path is matched.
 
@@ -597,13 +599,21 @@ The same authorization can be required with the `@PermissionsAllowed(value = { "
 * xref:security-authentication-mechanisms.adoc#form-based-auth-programmatic-set-up[Set up Form-based authentication programmatically]
 * xref:security-authentication-mechanisms.adoc#mtls-programmatic-set-up[Set up the mutual TLS client authentication programmatically]
 * xref:security-cors.adoc#cors-filter-programmatic-set-up[Configuring the CORS filter programmatically]
+* xref:security-csrf-prevention.adoc#csrf-prevention-programmatic-set-up[Configuring the CSRF prevention programmatically]
 
 [[standard-security-annotations]]
 == Authorization using annotations
 
 {project-name} includes built-in security to allow for link:https://en.wikipedia.org/wiki/Role-based_access_control[Role-Based Access Control (RBAC)]
 based on the common security annotations `@RolesAllowed`, `@DenyAll`, `@PermitAll` on REST endpoints and CDI beans.
 
+[NOTE]
+====
+Authorization checks for `quarkus.http.auth.` configurations are performed before security checks for standard security annotations.
+Therefore, `@PermitAll` only permits access to paths that are not already restricted by HTTP permissions.
+`@PermitAll` cannot override HTTP-level security configurations, only relax restrictions imposed by other standard security annotations such as `@RolesAllowed`.
+====
+
 .{project-name} annotation types summary
 [options="header"]
 |===
@@ -684,7 +694,10 @@ This returns `non-null` for a secured endpoint.
 <6> The `/subject/denied` endpoint declares the `@DenyAll` annotation, disallowing all direct access to it as a REST method, regardless of the user calling it.
 The method is still invokable internally by other methods in this class.
 
-CAUTION: If you plan to use standard security annotations on the IO thread, review the information in xref:security-proactive-authentication.adoc[Proactive Authentication].
+[CAUTION]
+====
+If you plan to use standard security annotations on the IO thread, review the information in xref:security-proactive-authentication.adoc[Proactive Authentication].
+====
 
 The `@RolesAllowed` annotation value supports xref:config-reference.adoc#property-expressions[property expressions] including default values and nested property expressions.
 Configuration properties used with the annotation are resolved at runtime.
diff --git a/_versions/main/guides/security-csrf-prevention.adoc b/_versions/main/guides/security-csrf-prevention.adoc
@@ -324,6 +324,31 @@ quarkus.rest-csrf.verify-token=false
 
 include::{generated-dir}/config/quarkus-rest-csrf.adoc[leveloffset=+1, opts=optional]
 
+[[csrf-prevention-programmatic-set-up]]
+== Configuring the CSRF prevention programmatically
+
+When the `quarkus-rest-csrf` extension is used, the `io.quarkus.vertx.http.security.HttpSecurity` CDI event allows you to customize the CSRF prevention programmatically:
+
+[source,java]
+----
+package org.acme.http.security;
+
+import io.quarkus.vertx.http.security.CSRF;
+import io.quarkus.vertx.http.security.HttpSecurity;
+import jakarta.enterprise.event.Observes;
+
+public class CsrfProgrammaticConfig {
+    void configure(@Observes HttpSecurity httpSecurity) {
+        httpSecurity.csrf(CSRF.builder()    <1>
+                .formFieldName("my-csrf-token")
+                .tokenSize(32)
+                .build());
+    }
+}
+----
+<1> Creates the CSRF prevention configuration builder provided by the `quarkus-rest-csrf` extension.
+If this extension is missing, call to the `CSRF.builder()` will fail.
+
 == References
 
 * https://owasp.org/www-community/attacks/csrf[OWASP Cross-Site Request Forgery]
diff --git a/_versions/main/guides/security-keycloak-authorization.adoc b/_versions/main/guides/security-keycloak-authorization.adoc
@@ -270,7 +270,7 @@ quarkus.oidc.credentials.secret=secret <3>
 quarkus.oidc.tls.verification=none <4>
 
 # Enable Policy Enforcement
-quarkus.keycloak.policy-enforcer.enable=true <5>
+quarkus.keycloak.policy-enforcer.enabled=true <5>
 
 # Import the realm file with Dev Services for Keycloak
 # Note: This property is effective only in dev mode, not in JVM or native modes
@@ -527,7 +527,7 @@ public class ProtectedResource {
 
 [NOTE]
 ====
-To use the `AuthzClient` directly, set `quarkus.keycloak.policy-enforcer.enable=true`.
+To use the `AuthzClient` directly, set `quarkus.keycloak.policy-enforcer.enabled=true`.
 Otherwise, no bean is available for injection.
 ====
 
@@ -668,7 +668,7 @@ For example:
 
 [source,properties]
 ----
-quarkus.keycloak.policy-enforcer.enable=true
+quarkus.keycloak.policy-enforcer.enabled=true
 
 # Default Tenant
 quarkus.oidc.auth-server-url=${keycloak.url:replaced-by-test-resource}/realms/quarkus
