Merge pull request #51479 from gsmet/3.30.3-backports-1

[3.30] 3.30.3 backports 1

Author: gsmet

bom/application/pom.xml

@@ -109,15 +109,15 @@
         <slf4j-jboss-logmanager.version>2.0.2.Final</slf4j-jboss-logmanager.version>
         <wildfly-common.version>2.0.1</wildfly-common.version>
         <wildfly-client-config.version>1.0.1.Final</wildfly-client-config.version>
-        <wildfly-elytron.version>2.7.0.Final</wildfly-elytron.version>
+        <wildfly-elytron.version>2.7.1.Final</wildfly-elytron.version>
         <jboss-marshalling.version>2.2.3.Final</jboss-marshalling.version>
         <jboss-threads.version>3.9.1</jboss-threads.version>
         <vertx.version>4.5.22</vertx.version>
         <httpclient.version>4.5.14</httpclient.version>
         <httpcore.version>4.4.16</httpcore.version>
         <httpasync.version>4.1.5</httpasync.version>
         <cronutils.version>9.2.1</cronutils.version>
-        <quartz.version>2.5.0</quartz.version>
+        <quartz.version>2.5.2</quartz.version>
         <h2.version>2.4.240</h2.version> <!-- When updating, needs to be matched in io.quarkus.hibernate.orm.runtime.config.DialectVersions
                                               and the dependency jts-core needs to be updated in extensions/jdbc/jdbc-h2/runtime/pom.xml -->
         <postgresql-jdbc.version>42.7.8</postgresql-jdbc.version>
@@ -139,7 +139,7 @@
         <jboss-logging.version>3.6.1.Final</jboss-logging.version>
         <mutiny.version>3.0.3</mutiny.version>
         <jctools-core.version>4.0.5</jctools-core.version>
-        <kafka3.version>4.0.1</kafka3.version>
+        <kafka.version>4.1.1</kafka.version>
         <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
         <snappy.version>1.1.10.8</snappy.version>
         <strimzi-test-container.version>0.113.0</strimzi-test-container.version>
@@ -4561,7 +4561,7 @@
             <dependency>
                 <groupId>org.apache.kafka</groupId>
                 <artifactId>kafka-clients</artifactId>
-                <version>${kafka3.version}</version>
+                <version>${kafka.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.lz4</groupId>
@@ -4586,17 +4586,17 @@
             <dependency>
                 <groupId>org.apache.kafka</groupId>
                 <artifactId>kafka-streams</artifactId>
-                <version>${kafka3.version}</version>
+                <version>${kafka.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.kafka</groupId>
                 <artifactId>kafka-streams-test-utils</artifactId>
-                <version>${kafka3.version}</version>
+                <version>${kafka.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.kafka</groupId>
                 <artifactId>kafka_2.13</artifactId>
-                <version>${kafka3.version}</version>
+                <version>${kafka.version}</version>
                 <exclusions>
                     <exclusion>
                         <groupId>com.google.code.findbugs</groupId>

build-parent/pom.xml

@@ -97,7 +97,7 @@
         <junit4.version>4.13.2</junit4.version>
 
         <!-- The image to use for tests that run Keycloak -->
-        <keycloak.server.version>26.4.5</keycloak.server.version>
+        <keycloak.server.version>26.4.7</keycloak.server.version>
         <keycloak.docker.image>quay.io/keycloak/keycloak:${keycloak.server.version}</keycloak.docker.image>
 
         <unboundid-ldap.version>7.0.3</unboundid-ldap.version>

core/deployment/src/main/java/io/quarkus/deployment/DebugConfig.java

@@ -21,6 +21,8 @@ public interface DebugConfig {
 
     /**
      * If set to true, writes a list of all reflective classes to META-INF
+     * <p>
+     * For fast-jar the META-INF is inside of quarkus-app/quarkus/generated-bytecode.jar
      */
     @WithDefault("false")
     boolean reflection();

core/runtime/pom.xml

@@ -236,7 +236,7 @@
                         <runnerParentFirstArtifact>org.graalvm.sdk:jniutils</runnerParentFirstArtifact>
                         <runnerParentFirstArtifact>org.graalvm.sdk:word</runnerParentFirstArtifact>
                         <runnerParentFirstArtifact>org.graalvm.sdk:collections</runnerParentFirstArtifact>
-                        <runnerParentFirstArtifact>org.graalvm.sdk:native-bridge</runnerParentFirstArtifact>
+                        <runnerParentFirstArtifact>org.graalvm.sdk:nativebridge</runnerParentFirstArtifact>
                         <!-- /support for GraalVM js -->
                         <runnerParentFirstArtifact>io.quarkus:quarkus-bootstrap-runner</runnerParentFirstArtifact>
                         <runnerParentFirstArtifact>io.quarkus:quarkus-classloader-commons</runnerParentFirstArtifact>

core/runtime/src/main/java/io/quarkus/runtime/logging/LogRuntimeConfig.java

@@ -39,16 +39,16 @@ public interface LogRuntimeConfig {
      * <p>
      * JBoss Logging supports Apache-style log levels:
      * <p>
-     * * {@link org.jboss.logmanager.Level#FATAL}
-     * * {@link org.jboss.logmanager.Level#ERROR}
-     * * {@link org.jboss.logmanager.Level#WARN}
-     * * {@link org.jboss.logmanager.Level#INFO}
-     * * {@link org.jboss.logmanager.Level#DEBUG}
-     * * {@link org.jboss.logmanager.Level#TRACE}
+     * <ul>
+     * <li>{@link org.jboss.logmanager.Level#FATAL}</li>
+     * <li>{@link org.jboss.logmanager.Level#ERROR}</li>
+     * <li>{@link org.jboss.logmanager.Level#WARN}</li>
+     * <li>{@link org.jboss.logmanager.Level#INFO}</li>
+     * <li>{@link org.jboss.logmanager.Level#DEBUG}</li>
+     * <li>{@link org.jboss.logmanager.Level#TRACE}</li>
+     * </ul>
      *
      * In addition, it also supports the standard JDK log levels.
-     *
-     * @asciidoclet
      */
     @WithDefault("INFO")
     @WithConverter(LevelConverter.class)

devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/QuarkusPlugin.java

@@ -7,7 +7,6 @@
 import java.nio.file.Path;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -474,7 +473,7 @@ public boolean isSatisfiedBy(Task t) {
                                 // add the code gen sources
                                 final SourceSet generatedSourceSet = sourceSets
                                         .getByName(QuarkusGenerateCode.QUARKUS_GENERATED_SOURCES);
-                                addCodeGenSourceDirs(compileJava, generatedSourceSet, quarkusExt);
+                                addCodeGenSourceDirs(compileJava, generatedSourceSet);
                                 // quarkusGenerateCode is a dependency
                                 compileJava.dependsOn(quarkusGenerateCode);
                                 // quarkusGenerateCodeDev must run before compileJava in case quarkusDev is the target
@@ -495,7 +494,7 @@ public boolean isSatisfiedBy(Task t) {
                                 // add the code gen test sources
                                 final SourceSet generatedSourceSet = sourceSets
                                         .getByName(QuarkusGenerateCode.QUARKUS_TEST_GENERATED_SOURCES);
-                                addCodeGenSourceDirs(compileTestJava, generatedSourceSet, quarkusExt);
+                                addCodeGenSourceDirs(compileTestJava, generatedSourceSet);
                                 compileTestJava.dependsOn(quarkusGenerateCode, quarkusGenerateCodeTests);
                                 if (tasks.contains(new NamedImpl(generatedSourceSet.getCompileJavaTaskName()))) {
                                     compileTestJava.mustRunAfter(tasks.named(generatedSourceSet.getCompileJavaTaskName()));
@@ -511,7 +510,7 @@ public boolean isSatisfiedBy(Task t) {
             tasks.named("compileKotlin", task -> {
                 final SourceSet generatedSourceSet = project.getExtensions().getByType(SourceSetContainer.class)
                         .getByName(QuarkusGenerateCode.QUARKUS_GENERATED_SOURCES);
-                addCodeGenSourceDirs(task, generatedSourceSet, quarkusExt);
+                addCodeGenSourceDirs(task, generatedSourceSet);
                 task.dependsOn(quarkusGenerateCode);
                 task.mustRunAfter(quarkusGenerateCodeDev);
                 if (tasks.contains(new NamedImpl(generatedSourceSet.getCompileJavaTaskName()))) {
@@ -525,7 +524,7 @@ public boolean isSatisfiedBy(Task t) {
             tasks.named("compileTestKotlin", task -> {
                 final SourceSet generatedSourceSet = project.getExtensions().getByType(SourceSetContainer.class)
                         .getByName(QuarkusGenerateCode.QUARKUS_TEST_GENERATED_SOURCES);
-                addCodeGenSourceDirs(task, generatedSourceSet, quarkusExt);
+                addCodeGenSourceDirs(task, generatedSourceSet);
                 task.dependsOn(quarkusGenerateCodeTests);
                 if (tasks.contains(new NamedImpl(generatedSourceSet.getCompileJavaTaskName()))) {
                     task.mustRunAfter(tasks.named(generatedSourceSet.getCompileJavaTaskName()));
@@ -538,22 +537,14 @@ public boolean isSatisfiedBy(Task t) {
         });
     }
 
-    private static void addCodeGenSourceDirs(JavaCompile compileJava, SourceSet generatedSourceSet,
-            QuarkusPluginExtension quarkusExt) {
+    private static void addCodeGenSourceDirs(JavaCompile compileJava, SourceSet generatedSourceSet) {
         final File baseDir = generatedSourceSet.getJava().getClassesDirectory().get().getAsFile();
-        for (String provider : quarkusExt.getCodeGenerationProviders().get()) {
-            compileJava.source(new File(baseDir, provider));
-        }
+        compileJava.source(baseDir);
     }
 
-    private static void addCodeGenSourceDirs(Task compileKotlin, SourceSet generatedSourceSet,
-            QuarkusPluginExtension quarkusExt) {
+    private static void addCodeGenSourceDirs(Task compileKotlin, SourceSet generatedSourceSet) {
         final File baseDir = generatedSourceSet.getJava().getClassesDirectory().get().getAsFile();
-        final List<String> codeGenProviders = quarkusExt.getCodeGenerationProviders().get();
-        final Object[] codeGenDirs = new Object[codeGenProviders.size()];
-        for (int i = 0; i < codeGenDirs.length; ++i) {
-            codeGenDirs[i] = new File(baseDir, codeGenProviders.get(i));
-        }
+        final Object[] codeGenDirs = new Object[] { baseDir };
         try {
             var sourcesMethod = compileKotlin.getClass().getMethod("source", Object[].class);
             sourcesMethod.invoke(compileKotlin, new Object[] { codeGenDirs });

devtools/project-core-extension-codestarts/src/main/resources/codestarts/quarkus/extension-codestarts/lgtm-codestart/java/src/test/java/org/acme/SimpleTest.java

@@ -1,6 +1,6 @@
 package org.acme;
 
-import org.eclipse.microprofile.config.inject.ConfigProperty;;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.jboss.logging.Logger;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledOnOs;

docs/src/main/asciidoc/cdi.adoc

@@ -443,6 +443,8 @@ import jakarta.decorator.Delegate;
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
 import jakarta.enterprise.inject.Any;
+import jakarta.enterprise.inject.Decorated;
+import jakarta.enterprise.inject.spi.Bean;
 
 public interface Account {
    void withdraw(BigDecimal amount);
@@ -461,7 +463,6 @@ public class LargeTxAccount implements Account { <3>
    @Decorated
    Bean<Account> delegateInfo; <5>
 
-
    @Inject
    LogService logService; <6>
 

docs/src/main/asciidoc/rest-client.adoc

@@ -1341,7 +1341,9 @@ public class TestClientRequestFilter implements ResteasyReactiveClientRequestFil
 }
 ----
 
-== Customizing the ObjectMapper in REST Client Jackson
+== Jackson-specific features
+
+=== Customizing the ObjectMapper in REST Client Jackson
 
 The REST Client supports adding a custom ObjectMapper to be used only the Client using the annotation `@ClientObjectMapper`.
 
@@ -1369,6 +1371,60 @@ public interface ExtensionsService {
 <2> It's must be a static method. Also, the parameter `defaultObjectMapper` will be resolved via CDI. If not found, it will throw an exception at runtime.
 <3> In this example, we're creating a copy of the default object mapper. You should *NEVER* modify the default object mapper, but create a copy instead.
 
+=== @JsonView support
+
+Jakarta REST methods can be annotated with https://fasterxml.github.io/jackson-annotations/javadoc/2.10/com/fasterxml/jackson/annotation/JsonView.html[@JsonView]
+in order to customize the serialization of the returned POJO, on a per method-basis. This is best explained with an example.
+
+A typical use of `@JsonView` is to hide certain fields on certain methods. In that vein, let's define two views:
+
+[source,java]
+----
+public class Views {
+
+    public static class Public {
+    }
+
+    public static class Private extends Public {
+    }
+}
+----
+
+Let's assume we have the `User` POJO on which we want to hide some field during serialization. A simple example of this is:
+
+[source,java]
+----
+public class User {
+
+    @JsonView(Views.Private.class)
+    public int id;
+
+    @JsonView(Views.Public.class)
+    public String name;
+}
+----
+
+The REST Client supports `@JsonView` both for sending content to the REST API and for retrieving data from it:
+
+[source,java]
+----
+    @Path("/users")
+    @RegisterRestClient
+    public interface UserClient {
+        @GET
+        @Path("/{id}")
+        @Produces(MediaType.APPLICATION_JSON)
+        @JsonView(Views.Public.class)
+        User get(@RestPath String id);
+
+        @POST
+        @Consumes(MediaType.APPLICATION_JSON)
+        Response create(@JsonView(Views.Public.class) User user);
+    }
+----
+
+In the preceding code, the `get` method would return a `User` whose `id` is always `null` while the `create` method would never include `id` in the JSON it sends to the REST API.
+
 == Exception handling
 
 The MicroProfile REST Client specification introduces the `org.eclipse.microprofile.rest.client.ext.ResponseExceptionMapper` whose purpose is to convert an HTTP response to an exception.

docs/src/main/asciidoc/security-cors.adoc

@@ -34,6 +34,14 @@ The filter then adds CORS headers to the HTTP response, informing browsers about
 For preflight requests, the filter returns an HTTP response immediately.
 For regular CORS requests, the filter denies access with an HTTP 403 status if the request violates the configured policy; otherwise, the filter forwards the request to the destination if the policy allows it.
 
+[NOTE]
+====
+Despite its name the CORS filter may also prevent CSRF attacks based on link:https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#using-standard-headers-to-verify-origin[Origin verification].
+Therefore, since an [Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin) header is expected to be set by the browser for cross-origin JavaScript and HTML form requests, you may want to consider using it instead of the xref:security-csrf-prevention.adoc[REST CSRF filter].
+
+You must confirm that the browser does set an `Origin` header for cross-origin requests when accessing your application, especially with HTML forms, before using the CORS filter to prevent CSRF  with the link:https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#using-standard-headers-to-verify-origin[Origin verification].
+====
+
 For detailed configuration options, see the following Configuration Properties section.
 
 include::{generated-dir}/config/quarkus-vertx-http_quarkus.http.cors.adoc[leveloffset=+1, opts=optional]