Sync documentation of main branch

Author: actions-user

_generated-doc/main/infra/quarkus-all-build-items.adoc

@@ -7889,10 +7889,10 @@ _No Javadoc found_
 
 
 
-a| https://github.com/quarkusio/quarkus/blob/main/extensions/security/spi/src/main/java/io/quarkus/security/spi/ClassSecurityCheckAnnotationBuildItem.java[`io.quarkus.security.spi.ClassSecurityCheckAnnotationBuildItem`, window="_blank"]
+a| https://github.com/quarkusio/quarkus/blob/main/extensions/security/spi/src/main/java/io/quarkus/security/spi/ClassSecurityAnnotationBuildItem.java[`io.quarkus.security.spi.ClassSecurityAnnotationBuildItem`, window="_blank"]
 [.description]
 --
-Allows to create additional security checks for standard security annotations defined on a class level. We strongly recommended to secure CDI beans with `AdditionalSecuredMethodsBuildItem` if additional security is required. If you decide to use this build item, you must use class security check storage and apply checks manually. Thus, it's only suitable for very special cases.
+Allows to create additional security checks for standard security annotations defined on a class level and security interceptors for security annotations (such as selecting tenant or authentication mechanism). We strongly recommended to secure CDI beans with `AdditionalSecuredMethodsBuildItem` if additional security is required. If you decide to use this build item, you must use class security check storage and apply checks manually. Thus, it's only suitable for very special cases and intended for internal use in Quarkus core extensions.
 -- a|`org.jboss.jandex.DotName classAnnotation` 
 
 _No Javadoc found_
@@ -7903,7 +7903,7 @@ _No Javadoc found_
 a| https://github.com/quarkusio/quarkus/blob/main/extensions/security/spi/src/main/java/io/quarkus/security/spi/ClassSecurityCheckStorageBuildItem.java[`io.quarkus.security.spi.ClassSecurityCheckStorageBuildItem`, window="_blank"]
 [.description]
 --
-Security check storage containing additional security checks created for secured classes matching one of the `ClassSecurityCheckAnnotationBuildItem` filters during the static init.
+Security check storage containing additional security checks created for secured classes matching one of the `ClassSecurityAnnotationBuildItem` filters during the static init.
 -- a|`java.util.Map<DotName,Object> classNameToSecurityCheck` 
 
 _No Javadoc found_
@@ -7941,6 +7941,21 @@ _No Javadoc found_
 
 
 
+a| https://github.com/quarkusio/quarkus/blob/main/extensions/security/spi/src/main/java/io/quarkus/security/spi/RegisterClassSecurityCheckBuildItem.java[`io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem`, window="_blank"]
+[.description]
+--
+Registers security check against `io.quarkus.security.spi.ClassSecurityCheckStorageBuildItem` for security annotation instances passed in this build item. This class is exposed for limited Quarkus core-specific use cases and can be changed or be removed if necessary. If other extensions require this build item, please open Quarkus issue so that we document and test the use case.
+-- a|`org.jboss.jandex.DotName className` 
+
+_No Javadoc found_
+
+`org.jboss.jandex.AnnotationInstance securityAnnotationInstance` 
+
+_No Javadoc found_
+
+
+
+
 a| https://github.com/quarkusio/quarkus/blob/main/extensions/security/spi/src/main/java/io/quarkus/security/spi/RolesAllowedConfigExpResolverBuildItem.java[`io.quarkus.security.spi.RolesAllowedConfigExpResolverBuildItem`, window="_blank"]
 [.description]
 --
@@ -8738,6 +8753,22 @@ If this interceptor is always accompanied by `io.quarkus.security.spi.runtime.Se
 
 
 
+a| https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/EagerSecurityInterceptorClassesBuildItem.java[`io.quarkus.vertx.http.deployment.EagerSecurityInterceptorClassesBuildItem`, window="_blank"]
+[.description]
+--
+Bears collected intercepted classes annotated with registered security annotation if and only if class-level security is applied due to the matching `io.quarkus.security.spi.ClassSecurityAnnotationBuildItem` annotation. Security interceptor needs to be created and applied for each intercepted class.
+@see EagerSecurityInterceptorBindingBuildItem for more information on security filters
+-- a|`java.util.Map<String,Set<String>> bindingValueToInterceptedClasses` 
+
+Annotation binding value: '@HttpAuthenticationMechanism("custom")' => 'custom'; mapped to annotated class names
+
+`org.jboss.jandex.DotName interceptorBinding` 
+
+Interceptor binding annotation name, like `HttpAuthenticationMechanism` .
+
+
+
+
 a| https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/EagerSecurityInterceptorMethodsBuildItem.java[`io.quarkus.vertx.http.deployment.EagerSecurityInterceptorMethodsBuildItem`, window="_blank"]
 [.description]
 --

_versions/main/guides/appcds.adoc

@@ -105,7 +105,7 @@ If you are building an application that will target JDK 24+ you can take advanta
 -Dquarkus.package.jar.appcds.use-aot=true
 ----
 
-The result of this flag (plus the `-Dquarkus.package.jar.appcds.use-aot=true` original one) is the creation of an AOT cache file
+The result of this flag (plus the `-Dquarkus.package.jar.appcds.enabled=true` original one) is the creation of an AOT cache file
 named `app.aot`.
 
 You can use this AOT cache when launching the application like so:

_versions/main/guides/security-authentication-mechanisms.adoc

@@ -686,6 +686,7 @@ quarkus.http.auth.permission.bearer.auth-mechanism=bearer
 
 Ensure that the value of the `auth-mechanism` property matches the authentication scheme supported by `HttpAuthenticationMechanism`, for example, `basic`, `bearer`, or `form`.
 
+[[use-annotations-for-path-based-auth]]
 ==== Use annotations to enable path-based authentication for Jakarta REST endpoints
 
 It is possible to use annotations to select an authentication mechanism specific to each Jakarta REST endpoint.

_versions/main/guides/security-openid-connect-multitenancy.adoc

@@ -664,6 +664,13 @@ quarkus.http.auth.permission.authenticated.applies-to=JAXRS <1>
 <1> Tell Quarkus to run the HTTP permission check after the tenant has been selected with the `@Tenant` annotation.
 ====
 
+[NOTE]
+====
+The `io.quarkus.oidc.Tenant` annotation can be used to select tenant for a WebSockets Next server endpoint.
+The annotation must be placed on the endpoint class, because the `SecurityIdentity` is created before the HTTP connection is upgraded to a WebSocket connection.
+For more information about the HTTP upgrade security, see the xref:websockets-next-reference.adoc#secure-http-upgrade[Secure HTTP upgrade] section of the Quarkus "WebSockets Next reference" guide.
+====
+
 [[tenant-config-resolver]]
 === Dynamic tenant configuration resolution
 

_versions/main/guides/websockets-next-reference.adoc

@@ -846,6 +846,37 @@ quarkus.http.auth.permission.http-upgrade.paths=/end
 quarkus.http.auth.permission.http-upgrade.policy=authenticated
 ----
 
+Security annotations used during authentication must be placed on an endpoint class as well, for the `SecurityIdentity` is created before the websocket connection is opened.
+
+.Select Bearer token authentication mechanism
+[source, java]
+----
+package io.quarkus.websockets.next.test.security;
+
+import io.quarkus.oidc.BearerTokenAuthentication;
+import io.quarkus.websockets.next.OnTextMessage;
+import io.quarkus.websockets.next.WebSocket;
+
+@BearerTokenAuthentication <1>
+@WebSocket(path = "/end")
+public class Endpoint {
+
+    @OnTextMessage
+    String echo(String message) {
+        return message;
+    }
+
+}
+----
+<1> Require that an opening WebSocket handshake request is authenticated using the bearer token authentication.
+See the xref:security-authentication-mechanisms.adoc#use-annotations-for-path-based-auth[Authentication mechanisms in Quarkus] guide for more information about selecting authentication mechanisms with annotations.
+
+[source,properties]
+----
+quarkus.http.auth.proactive=false <1>
+----
+<1> Start authenticating an opening WebSocket handshake request only when the `io.quarkus.oidc.BearerTokenAuthentication` annotation is detected.
+
 [[secure-callback-methods]]
 ==== Secure WebSocket endpoint callback methods
 
@@ -937,7 +968,7 @@ public class PermissionChecker {
 
     @PermissionChecker("product:premium")
     public boolean canGetPremiumProduct(SecurityIdentity securityIdentity) { <1>
-        String username = currentIdentity.getPrincipal().getName();
+        String username = securityIdentity.getPrincipal().getName();
 
         RoutingContext routingContext = HttpSecurityUtils.getRoutingContextAttribute(securityIdentity);
         String initialHttpUpgradePath = routingContext == null ? null : routingContext.normalizedPath();