Sync documentation of main branch

Author: actions-user

_generated-doc/main/config/quarkus-all-config.adoc

@@ -17400,7 +17400,9 @@ If this is the string `common`, `combined` or `long` then this will use one of t
 
 - common: `%h %l %u %t "%r" %s %b` - combined: `%h %l %u %t "%r" %s %b "%++{++i,Referer++}++" "%++{++i,User-Agent++}++"` - long: `%r++\++n%++{++ALL_REQUEST_HEADERS++}++`
 
-Otherwise, consult the Quarkus documentation for the full list of variables that can be used.
+Otherwise, consult the Quarkus documentation for the full list of variables that can be used. Note that enabling the `%++{++ALL_REQUEST_HEADERS++}++` attribute directly or with a `long` named format introduces a risk of sensitive header values being logged.
+
+HTTP `Authorization` header value is always masked. Use the `masked-headers()` property to mask other sensitive headers.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -17413,6 +17415,48 @@ endif::add-copy-button-to-env-var[]
 |string
 |`+++common+++`
 
+a| [[quarkus-vertx-http_quarkus-http-access-log-masked-headers]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-access-log-masked-headers[`quarkus.http.access-log.masked-headers`]##
+ifdef::add-copy-button-to-config-props[]
+config_property_copy_button:+++quarkus.http.access-log.masked-headers+++[]
+endif::add-copy-button-to-config-props[]
+
+
+[.description]
+--
+Set of HTTP headers whose values must be masked when the `%++{++ALL_REQUEST_HEADERS++}++` attribute is enabled with the `pattern()` property.
+
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_ACCESS_LOG_MASKED_HEADERS+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_HTTP_ACCESS_LOG_MASKED_HEADERS+++`
+endif::add-copy-button-to-env-var[]
+--
+|list of string
+|
+
+a| [[quarkus-vertx-http_quarkus-http-access-log-masked-cookies]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-access-log-masked-cookies[`quarkus.http.access-log.masked-cookies`]##
+ifdef::add-copy-button-to-config-props[]
+config_property_copy_button:+++quarkus.http.access-log.masked-cookies+++[]
+endif::add-copy-button-to-config-props[]
+
+
+[.description]
+--
+Set of HTTP Cookie headers whose values must be masked when the `%++{++ALL_REQUEST_HEADERS++}++` attribute is enabled with the `pattern()` property.
+
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_ACCESS_LOG_MASKED_COOKIES+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_HTTP_ACCESS_LOG_MASKED_COOKIES+++`
+endif::add-copy-button-to-env-var[]
+--
+|list of string
+|
+
 a| [[quarkus-vertx-http_quarkus-http-access-log-log-to-file]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-access-log-log-to-file[`quarkus.http.access-log.log-to-file`]##
 ifdef::add-copy-button-to-config-props[]
 config_property_copy_button:+++quarkus.http.access-log.log-to-file+++[]
@@ -86830,7 +86874,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT__CLIENT__DISABLE_DEFAULT_MAPPER+++
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`+++${microprofile.rest.client.disable.default.mapper:false}+++`
+|`+++false+++`
 
 a| [[quarkus-rest-client-config_quarkus-rest-client-client-logging-scope]] [.property-path]##link:#quarkus-rest-client-config_quarkus-rest-client-client-logging-scope[`quarkus.rest-client."client".logging.scope`]##
 ifdef::add-copy-button-to-config-props[]

_generated-doc/main/config/quarkus-rest-client-config.adoc

@@ -1818,7 +1818,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT__CLIENT__DISABLE_DEFAULT_MAPPER+++
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`+++${microprofile.rest.client.disable.default.mapper:false}+++`
+|`+++false+++`
 
 a| [[quarkus-rest-client-config_quarkus-rest-client-client-logging-scope]] [.property-path]##link:#quarkus-rest-client-config_quarkus-rest-client-client-logging-scope[`quarkus.rest-client."client".logging.scope`]##
 ifdef::add-copy-button-to-config-props[]

_generated-doc/main/config/quarkus-rest-client-config_quarkus.rest-client.adoc

@@ -1818,7 +1818,7 @@ Environment variable: `+++QUARKUS_REST_CLIENT__CLIENT__DISABLE_DEFAULT_MAPPER+++
 endif::add-copy-button-to-env-var[]
 --
 |boolean
-|`+++${microprofile.rest.client.disable.default.mapper:false}+++`
+|`+++false+++`
 
 a| [[quarkus-rest-client-config_quarkus-rest-client-client-logging-scope]] [.property-path]##link:#quarkus-rest-client-config_quarkus-rest-client-client-logging-scope[`quarkus.rest-client."client".logging.scope`]##
 ifdef::add-copy-button-to-config-props[]

_generated-doc/main/config/quarkus-vertx-http_quarkus.http.access-log.adoc

@@ -63,7 +63,9 @@ If this is the string `common`, `combined` or `long` then this will use one of t
 
 - common: `%h %l %u %t "%r" %s %b` - combined: `%h %l %u %t "%r" %s %b "%++{++i,Referer++}++" "%++{++i,User-Agent++}++"` - long: `%r++\++n%++{++ALL_REQUEST_HEADERS++}++`
 
-Otherwise, consult the Quarkus documentation for the full list of variables that can be used.
+Otherwise, consult the Quarkus documentation for the full list of variables that can be used. Note that enabling the `%++{++ALL_REQUEST_HEADERS++}++` attribute directly or with a `long` named format introduces a risk of sensitive header values being logged.
+
+HTTP `Authorization` header value is always masked. Use the `masked-headers()` property to mask other sensitive headers.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -76,6 +78,48 @@ endif::add-copy-button-to-env-var[]
 |string
 |`+++common+++`
 
+a| [[quarkus-vertx-http_quarkus-http-access-log_quarkus-http-access-log-masked-headers]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-access-log_quarkus-http-access-log-masked-headers[`quarkus.http.access-log.masked-headers`]##
+ifdef::add-copy-button-to-config-props[]
+config_property_copy_button:+++quarkus.http.access-log.masked-headers+++[]
+endif::add-copy-button-to-config-props[]
+
+
+[.description]
+--
+Set of HTTP headers whose values must be masked when the `%++{++ALL_REQUEST_HEADERS++}++` attribute is enabled with the `pattern()` property.
+
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_ACCESS_LOG_MASKED_HEADERS+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_HTTP_ACCESS_LOG_MASKED_HEADERS+++`
+endif::add-copy-button-to-env-var[]
+--
+|list of string
+|
+
+a| [[quarkus-vertx-http_quarkus-http-access-log_quarkus-http-access-log-masked-cookies]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-access-log_quarkus-http-access-log-masked-cookies[`quarkus.http.access-log.masked-cookies`]##
+ifdef::add-copy-button-to-config-props[]
+config_property_copy_button:+++quarkus.http.access-log.masked-cookies+++[]
+endif::add-copy-button-to-config-props[]
+
+
+[.description]
+--
+Set of HTTP Cookie headers whose values must be masked when the `%++{++ALL_REQUEST_HEADERS++}++` attribute is enabled with the `pattern()` property.
+
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_HTTP_ACCESS_LOG_MASKED_COOKIES+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_HTTP_ACCESS_LOG_MASKED_COOKIES+++`
+endif::add-copy-button-to-env-var[]
+--
+|list of string
+|
+
 a| [[quarkus-vertx-http_quarkus-http-access-log_quarkus-http-access-log-log-to-file]] [.property-path]##link:#quarkus-vertx-http_quarkus-http-access-log_quarkus-http-access-log-log-to-file[`quarkus.http.access-log.log-to-file`]##
 ifdef::add-copy-button-to-config-props[]
 config_property_copy_button:+++quarkus.http.access-log.log-to-file+++[]

_versions/main/guides/security-oidc-bearer-token-authentication.adoc

@@ -1706,10 +1706,13 @@ Or, if you need more flexibility, write a <<jose4j-validator-bearer>>:
 ----
 package io.quarkus.it.oidc;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import jakarta.enterprise.context.ApplicationScoped;
 
+import org.eclipse.microprofile.jwt.Claims;
 import org.jose4j.jwt.MalformedClaimException;
 import org.jose4j.jwt.consumer.JwtContext;
 import org.jose4j.jwt.consumer.Validator;
@@ -1727,9 +1730,19 @@ public class AcrValueValidator implements Validator {
     @Override
     public String validate(JwtContext jwtContext) throws MalformedClaimException {
         var jwtClaims = jwtContext.getJwtClaims();
-        if (jwtClaims.hasClaim("acr")) {
-            var acrClaim = jwtClaims.getStringListClaimValue("acr");
-            if (acrClaim.contains("myACR") && acrClaim.contains("yourACR")) {
+        var acrClaimName = Claims.acr.name();
+
+        if (jwtClaims.hasClaim(acrClaimName)) {
+            // The claim 'acr' could be a String or a list
+            List<String> acrClaimValues;
+            if (jwtClaims.isClaimValueStringList(acrClaimName)) {
+               acrClaimValues = jwtClaims.getStringListClaimValue(acrClaimName);
+            } else if (jwtClaims.isClaimValueString(acrClaimName)) {
+               acrClaimValues = List.of(jwtClaims.getStringClaimValue(acrClaimName));
+            } else {
+                throw new MalformedClaimException("Claim '" + acrClaimName + "' is not a String or List of Strings.");
+            }
+            if (acrClaimValues.contains("myACR") && acrClaimValues.contains("yourACR")) {
                 return null;
             }
         }