From 39e91a88b4306405c4fd363766cebb228f85685e Mon Sep 17 00:00:00 2001
From: tvallin <thibault.vallin@oracle.com>
Date: Fri, 3 Nov 2023 17:01:42 +0100
Subject: [PATCH 1/3] Fix security

Signed-off-by: tvallin <thibault.vallin@oracle.com>
---
 .../src/main/archetype/common/security.xml    | 222 +---------
 .../main/archetype/mp/custom/custom-mp.xml    |   1 +
 .../custom}/files/application.google.yaml     |   0
 .../files/application.http-signature.yaml     |   0
 .../custom}/files/application.oidc.yaml       |   0
 .../java/__pkg__/JwtApplication.java.mustache |  17 +
 .../java/__pkg__/JwtResource.java.mustache    |  24 ++
 .../archetype/mp/custom/security-outputs.xml  | 102 +++++
 .../main/resources/application.yaml.mustache  |  12 -
 .../main/archetype/se/custom/custom-se.xml    |   3 +-
 .../custom}/files/application.jwt.yaml        |   0
 .../java/__pkg__/GoogleMain.java.mustache     |  19 +-
 .../__pkg__/JwtOverrideService.java.mustache  |   6 +-
 .../__pkg__/OutboundOverrideJwt.java.mustache |  17 +-
 .../java/__pkg__/SignatureMain.java.mustache  |  21 +-
 .../src/main/resources/WEB/index-google.html  |  68 +++
 .../files/src/main/resources/signing-jwk.json |   0
 .../src/main/resources/verifying-jwk.json     |   2 +-
 .../OutboundOverrideJwtTest.java.mustache     |  18 +-
 .../__pkg__/SignatureMainTest.java.mustache   |   8 +-
 .../archetype/se/custom/security-outputs.xml  | 395 ++++++++++++++++++
 .../src/main/archetype/se/custom/security.xml |  48 ---
 22 files changed, 654 insertions(+), 329 deletions(-)
 rename archetypes/helidon/src/main/archetype/{common => mp/custom}/files/application.google.yaml (100%)
 rename archetypes/helidon/src/main/archetype/{common => mp/custom}/files/application.http-signature.yaml (100%)
 rename archetypes/helidon/src/main/archetype/{common => mp/custom}/files/application.oidc.yaml (100%)
 create mode 100644 archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtApplication.java.mustache
 create mode 100644 archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtResource.java.mustache
 create mode 100644 archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
 rename archetypes/helidon/src/main/archetype/{common => se/custom}/files/application.jwt.yaml (100%)
 create mode 100644 archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/index-google.html
 rename archetypes/helidon/src/main/archetype/{common => se/custom}/files/src/main/resources/signing-jwk.json (100%)
 rename archetypes/helidon/src/main/archetype/{common => se/custom}/files/src/main/resources/verifying-jwk.json (89%)
 create mode 100644 archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml
 delete mode 100644 archetypes/helidon/src/main/archetype/se/custom/security.xml

diff --git a/archetypes/helidon/src/main/archetype/common/security.xml b/archetypes/helidon/src/main/archetype/common/security.xml
index 1d162950275..232967c26a9 100644
--- a/archetypes/helidon/src/main/archetype/common/security.xml
+++ b/archetypes/helidon/src/main/archetype/common/security.xml
@@ -29,144 +29,11 @@
                      optional="true">
                 <inputs>
                     <list id="atn" name="Select Authentication Providers" optional="true">
-                        <option value="oidc" name="OIDC" description="OpenID Connect">
-                            <output>
-                                <model>
-                                    <list key="providers-config-entries">
-                                        <value file="files/application.oidc.yaml" if="${flavor} == 'mp'"/>
-                                        <value if="${flavor} == 'se'"><![CDATA[
-  - oidc:
-      client-id: "your-client-id"
-      client-secret: "your-client-secret"
-      identity-uri: "https://your-tenant-id.identity.oracle.com"
-      # A prefix used for custom scopes
-      scope-audience: "http://localhost:7987/test-application"
-      proxy-host: ""
-      # Used as a base for redirects back to us (based on Host header now, so no need to explicitly define it)
-      # If explicitly defined, will override host header
-      # frontend-uri: "http://localhost:7987"
-      # support for non-public signature JWK (and maybe other IDCS specific handling)
-      server-type: "idcs"
-      logout-enabled: true
-      # Can define just a path, host will be taken from header
-      post-logout-uri: "/loggedout"
-      # We want to redirect to login page (and token can be received either through cookie or header)
-      redirect: true
-  - idcs-role-mapper:
-      multitenant: false
-      oidc-config:
-        # we must repeat IDCS configuration, as in this case
-        # IDCS serves both as open ID connect authenticator and
-        # as a role mapper. Using minimal configuration here
-        client-id: "your-client-id"
-        client-secret: "your-client-secret"
-        identity-uri: "https://your-tenant-id.identity.oracle.com"]]></value>
-                                    </list>
-                                    <list key="paths-config-entries">
-                                        <value if="${flavor} == 'se'"><![CDATA[   - path: "/rest/profile"
-             methods: ["get"]
-             authenticate: true
-             roles-allowed: ["my_admins"]]]></value>
-                                    </list>
-                                    <list key="dependencies">
-                                        <map if="${flavor} == 'mp'">
-                                            <value key="groupId">io.helidon.microprofile</value>
-                                            <value key="artifactId">helidon-microprofile-oidc</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.security.providers</value>
-                                            <value key="artifactId">helidon-security-providers-oidc</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.security.providers</value>
-                                            <value key="artifactId">helidon-security-providers-idcs-mapper</value>
-                                        </map>
-                                    </list>
-                                    <list key="Main-java-imports" if="${flavor} == 'se'">
-                                        <value>java.util.Optional</value>
-                                    </list>
-                                    <list key="Main-helidon-imports" if="${flavor} == 'se'">
-                                        <value>io.helidon.common.context.Contexts</value>
-                                        <value>io.helidon.http.HttpMediaTypes</value>
-                                        <value>io.helidon.security.Security</value>
-                                        <value>io.helidon.security.SecurityContext</value>
-                                        <value>io.helidon.security.Subject</value>
-                                        <value>io.helidon.security.providers.oidc.OidcFeature</value>
-                                    </list>
-                                    <list key="Main-main" if="${flavor} == 'se'">
-                                        <value><![CDATA[
-        Security security = Security.create(config.get("security"));
-        // this is needed for proper encryption/decryption of cookies
-        Contexts.globalContext().register(security);
-]]></value>
-                                    </list>
-                                    <list key="Main-routing" if="${flavor} == 'se'">
-                                        <value><![CDATA[
-        if (Config.global().get("security.enabled").asBoolean().orElse(true)) {
-            // IDCS requires a web resource for redirects
-            routing.addFeature(OidcFeature.create(Config.global()));
-        }
-]]></value>
-                                    </list>
-                                    <list key="Main-routing-builder" if="${flavor} == 'se'">
-                                        <value><![CDATA[// web server does not (yet) have possibility to configure routes in config files, so explicit...
-                        .get("/rest/profile", (req, res) -> {
-                            Optional<SecurityContext> securityContext = req.context().get(SecurityContext.class);
-                            res.headers().contentType(HttpMediaTypes.PLAINTEXT_UTF_8);
-                            res.send("Response from config based service, you are: \n" + securityContext
-                                    .flatMap(SecurityContext::user)
-                                    .map(Subject::toString)
-                                    .orElse("Security context is null"));
-                        })
-                        .get("/loggedout", (req, res) -> res.send("You have been logged out"))]]></value>
-                                    </list>
-                                    <list key="module-requires" if="${flavor} == 'se'">
-                                        <value>io.helidon.security.providers.oidc</value>
-                                    </list>
-                                    <list key="module-requires">
-                                        <value if="${flavor} == 'se'">io.helidon.security</value>
-                                    </list>
-                                </model>
-                            </output>
-                        </option>
+                        <option value="oidc" name="OIDC" description="OpenID Connect"/>
                         <option value="jwt" name="JWT" description="JSON Web Token">
                             <output>
-                                <files>
-                                    <directory>files</directory>
-                                    <includes>
-                                        <include>src/*/resources/**/signing-jwk.json</include>
-                                        <include>src/*/resources/**/verifying-jwk.json</include>
-                                    </includes>
-                                </files>
                                 <model>
-                                    <list key="providers-config-entries">
-                                        <value file="files/application.jwt.yaml"/>
-                                    </list>
-                                    <list key="dependencies">
-                                        <map if="${flavor} == 'mp'">
-                                            <value key="groupId">io.helidon.security.providers</value>
-                                            <value key="artifactId">helidon-security-providers-jwt</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.webclient</value>
-                                            <value key="artifactId">helidon-webclient-security</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.security.providers</value>
-                                            <value key="artifactId">helidon-security-providers-http-auth</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.security.providers</value>
-                                            <value key="artifactId">helidon-security-providers-jwt</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.bundles</value>
-                                            <value key="artifactId">helidon-bundles-config</value>
-                                        </map>
-                                    </list>
                                     <list key="module-requires">
-                                        <value if="${flavor} == 'se'">io.helidon.webclient.security</value>
-                                        <value>io.helidon.security.providers.jwt</value>
                                         <value>io.helidon.webserver.context</value>
                                     </list>
                                 </model>
@@ -175,42 +42,11 @@
                         <option value="google" name="Google Login" description="Google identity">
                             <output>
                                 <model>
-                                    <list key="providers-config-entries">
-                                        <value file="files/application.google.yaml" if="${flavor} == 'mp'"/>
-                                        <value if="${flavor} == 'se'"><![CDATA[    - google-login:
-        # Create your own application in Google developer console
-        # Also update the client id configured in header of index.html
-        # Detailed how-to for login button (including links how to create an application):
-        # https://developers.google.com/identity/sign-in/web/sign-in
-        client-id: "your-app-id.apps.googleusercontent.com"
-        # Defaults for Helidon
-        # realm: "helidon"
-        # Configure proxy host if needed
-        proxy-host: ""
-        # proxy-port: 80
-
-        # This is the default for GoogleTokenProvider
-        #token:
-        #  header: "Authorization"
-        # or do not specify - then the whole header is considered to be the token value
-        #  prefix: "bearer "
-        # optional alternative - looking for first matching group
-        #  regexp: "bearer (.*)"
-        #}]]></value>
-                                    </list>
                                     <list key="dependencies">
                                         <map>
                                             <value key="groupId">io.helidon.security.providers</value>
                                             <value key="artifactId">helidon-security-providers-google-login</value>
                                         </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.bundles</value>
-                                            <value key="artifactId">helidon-bundles-config</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.webserver</value>
-                                            <value key="artifactId">helidon-webserver-static-content</value>
-                                        </map>
                                     </list>
                                     <list key="paths-config-entries">
                                         <value><![CDATA[    - path: "/rest/profile"
@@ -234,34 +70,11 @@
                                     </includes>
                                 </files>
                                 <model>
-                                    <list key="providers-config-entries">
-                                        <value file="files/application.http-signature.yaml" if="${flavor} == 'mp'"/>
-                                    </list>
                                     <list key="dependencies">
                                         <map>
                                             <value key="groupId">io.helidon.security.providers</value>
                                             <value key="artifactId">helidon-security-providers-http-sign</value>
                                         </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.webclient</value>
-                                            <value key="artifactId">helidon-webclient-security</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.bundles</value>
-                                            <value key="artifactId">helidon-bundles-security</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.config</value>
-                                            <value key="artifactId">helidon-config-hocon</value>
-                                        </map>
-                                    </list>
-                                    <list key="module-requires" if="${flavor} == 'se'">
-                                        <value>io.helidon.webclient.http1</value>
-                                        <value>io.helidon.common.pki</value>
-                                        <value>io.helidon.webserver.context</value>
-                                        <value>io.helidon.security.providers.common</value>
-                                        <value>io.helidon.security.providers.httpauth</value>
-                                        <value>io.helidon.security.providers.httpsign</value>
                                     </list>
                                 </model>
                             </output>
@@ -279,14 +92,6 @@
                                             <value key="groupId">io.helidon.security.providers</value>
                                             <value key="artifactId">helidon-security-providers-abac</value>
                                         </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.security.abac</value>
-                                            <value key="artifactId">helidon-security-abac-scope</value>
-                                        </map>
-                                        <map if="${flavor} == 'se'">
-                                            <value key="groupId">io.helidon.security.abac</value>
-                                            <value key="artifactId">helidon-security-abac-role</value>
-                                        </map>
                                     </list>
                                     <list key="paths-config-entries">
                                         <value order="90" if="!(${security.atn} contains 'oidc')"><![CDATA[         roles-allowed: ["user"]]]></value>
@@ -300,27 +105,6 @@
                     <model>
                         <value key="security">true</value>
                         <value key="features">true</value>
-                        <list key="dependencies">
-                            <map if="${flavor} == 'mp'">
-                                <value key="groupId">io.helidon.microprofile</value>
-                                <value key="artifactId">helidon-microprofile-security</value>
-                            </map>
-                            <map if="${flavor} == 'se'">
-                                <value key="groupId">io.helidon.webserver</value>
-                                <value key="artifactId">helidon-webserver-security</value>
-                            </map>
-                        </list>
-                        <list key="paths-config-entries">
-                            <value if="${flavor} == 'mp'"><![CDATA[    - path: "/simple-greet"
-      methods: ["get"]
-      authenticate: true]]></value>
-                        </list>
-                        <list key="application-test-yaml-entries" if="${flavor} == 'se'">
-                            <value><![CDATA[
-security:
-  enabled: false
-]]></value>
-                        </list>
                         <list key="server-features">
                             <value template="mustache"><![CDATA[
     security:
@@ -334,10 +118,6 @@ security:
         {{/paths-config-entries}}
 ]]></value>
                         </list>
-                        <list key="module-requires" if="${flavor} == 'se'">
-                            <value>io.helidon.security.integration.common</value>
-                            <value>io.helidon.webserver.security</value>
-                        </list>
                     </model>
                 </output>
             </boolean>
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/custom-mp.xml b/archetypes/helidon/src/main/archetype/mp/custom/custom-mp.xml
index 485e97114de..0de454edf69 100644
--- a/archetypes/helidon/src/main/archetype/mp/custom/custom-mp.xml
+++ b/archetypes/helidon/src/main/archetype/mp/custom/custom-mp.xml
@@ -31,6 +31,7 @@
     <exec src="/common/packaging.xml"/>
     <source src="observability.xml"/>
     <exec src="database-outputs.xml" if="${db}"/>
+    <source src="security-outputs.xml" if="${security}"/>
     <output>
         <model>
             <value key="helidon-test">true</value>
diff --git a/archetypes/helidon/src/main/archetype/common/files/application.google.yaml b/archetypes/helidon/src/main/archetype/mp/custom/files/application.google.yaml
similarity index 100%
rename from archetypes/helidon/src/main/archetype/common/files/application.google.yaml
rename to archetypes/helidon/src/main/archetype/mp/custom/files/application.google.yaml
diff --git a/archetypes/helidon/src/main/archetype/common/files/application.http-signature.yaml b/archetypes/helidon/src/main/archetype/mp/custom/files/application.http-signature.yaml
similarity index 100%
rename from archetypes/helidon/src/main/archetype/common/files/application.http-signature.yaml
rename to archetypes/helidon/src/main/archetype/mp/custom/files/application.http-signature.yaml
diff --git a/archetypes/helidon/src/main/archetype/common/files/application.oidc.yaml b/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
similarity index 100%
rename from archetypes/helidon/src/main/archetype/common/files/application.oidc.yaml
rename to archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtApplication.java.mustache b/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtApplication.java.mustache
new file mode 100644
index 00000000000..443be088c12
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtApplication.java.mustache
@@ -0,0 +1,17 @@
+package {{package}};
+
+import java.util.Set;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.core.Application;
+import org.eclipse.microprofile.auth.LoginConfig;
+
+@LoginConfig(authMethod = "MP-JWT")
+@ApplicationScoped
+public class JwtApplication extends Application {
+
+    @Override
+    public Set<Class<?>> getClasses() {
+        return Set.of(JwtResource.class);
+    }
+}
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtResource.java.mustache b/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtResource.java.mustache
new file mode 100644
index 00000000000..c19509029e8
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtResource.java.mustache
@@ -0,0 +1,24 @@
+package {{package}};
+
+import java.util.Optional;
+
+import io.helidon.security.Principal;
+import io.helidon.security.SecurityContext;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.Context;
+
+import static jakarta.ws.rs.core.MediaType.TEXT_PLAIN;
+
+@Path("/hello")
+public class JwtResource {
+
+    @GET
+    @Produces(TEXT_PLAIN)
+    public String hello(@Context SecurityContext context) {
+        Optional<Principal> userPrincipal = context.userPrincipal();
+        return "Hello, " + userPrincipal.get().getName() + "!";
+    }
+}
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml b/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
new file mode 100644
index 00000000000..0b5c77facfa
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2023 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<archetype-script xmlns="https://helidon.io/archetype/2.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="https://helidon.io/archetype/2.0 https://helidon.io/xsd/archetype-2.0.xsd">
+    <methods>
+        <method name="security-oidc">
+            <output if="${security.atn} contains ['oidc']">
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.microprofile</value>
+                            <value key="artifactId">helidon-microprofile-oidc</value>
+                        </map>
+                    </list>
+                    <list key="providers-config-entries">
+                        <value file="files/application.oidc.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-jwt">
+            <output if="${security.atn} contains ['jwt']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>**/JwtApplication.java.mustache</include>
+                        <include>**/JwtResource.java.mustache</include>
+                    </includes>
+                </templates>
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.microprofile.jwt</value>
+                            <value key="artifactId">helidon-microprofile-jwt-auth</value>
+                        </map>
+                    </list>
+                    <list key="microprofile-config-entries">
+                        <value>mp.jwt.verify.issuer=https://{IssuerPublicDomain}/oauth2/default</value>
+                        <value template="mustache">mp.jwt.verify.publickey.location=${mp.jwt.verify.issuer}/v1/keys</value>
+                    </list>
+                    <list key="module-requires">
+                        <value >io.helidon.microprofile.jwt.auth</value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-google">
+            <output if="${security.atn} contains ['google']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value file="files/application.google.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-signature">
+            <output if="${security.atn} contains ['http-signature']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value file="files/application.http-signature.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
+    </methods>
+    <call method="security-oidc"/>
+    <call method="security-jwt"/>
+    <call method="security-google"/>
+    <call method="security-signature"/>
+    <output>
+        <model>
+            <list key="dependencies">
+                <map>
+                    <value key="groupId">io.helidon.microprofile</value>
+                    <value key="artifactId">helidon-microprofile-security</value>
+                </map>
+            </list>
+            <list key="paths-config-entries">
+                <value><![CDATA[    - path: "/simple-greet"
+      methods: ["get"]
+      authenticate: true]]></value>
+            </list>
+        </model>
+    </output>
+</archetype-script>
diff --git a/archetypes/helidon/src/main/archetype/se/common/files/src/main/resources/application.yaml.mustache b/archetypes/helidon/src/main/archetype/se/common/files/src/main/resources/application.yaml.mustache
index 0957bafc6cb..f59a08c265c 100644
--- a/archetypes/helidon/src/main/archetype/se/common/files/src/main/resources/application.yaml.mustache
+++ b/archetypes/helidon/src/main/archetype/se/common/files/src/main/resources/application.yaml.mustache
@@ -11,16 +11,4 @@ server:
 
 {{.}}
 {{/application-yaml-entries}}
-{{#security}}
 
-security:
-  config.require-encryption: false
-  properties:
-{{#security-properties}}
-{{.}}
-{{/security-properties}}
-  providers:
-{{#providers-config-entries}}
-{{.}}
-{{/providers-config-entries}}
-{{/security}}
diff --git a/archetypes/helidon/src/main/archetype/se/custom/custom-se.xml b/archetypes/helidon/src/main/archetype/se/custom/custom-se.xml
index 7d3105be343..988a0cc38c2 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/custom-se.xml
+++ b/archetypes/helidon/src/main/archetype/se/custom/custom-se.xml
@@ -25,11 +25,12 @@
     <exec src="/common/security.xml"/>
     <source src="database-inputs.xml"/>
     <source src="/common/extra.xml"/>
-    <source src="/se/custom/extra.xml"/>
+    <source src="extra.xml"/>
     <source src="/common/observability.xml"/>
     <source src="observability.xml"/>
     <exec src="/common/packaging.xml"/>
     <exec src="database-output.xml" if="${db}"/>
+    <source src="security-outputs.xml" if="${security}"/>
 
     <output>
         <file source="files/src/main/resources/WEB/index.html" target="src/main/resources/WEB/index.html" if="${media} contains 'multipart'"/>
diff --git a/archetypes/helidon/src/main/archetype/common/files/application.jwt.yaml b/archetypes/helidon/src/main/archetype/se/custom/files/application.jwt.yaml
similarity index 100%
rename from archetypes/helidon/src/main/archetype/common/files/application.jwt.yaml
rename to archetypes/helidon/src/main/archetype/se/custom/files/application.jwt.yaml
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache
index cafa5efce59..193c1727a8c 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache
@@ -5,15 +5,15 @@ import java.util.concurrent.TimeUnit;
 
 import io.helidon.http.HttpMediaTypes;
 import io.helidon.logging.common.LogConfig;
-import io.helidon.webserver.WebServer;
-import io.helidon.webserver.WebServerConfig;
-import io.helidon.webserver.context.ContextFeature;
-import io.helidon.webserver.staticcontent.StaticContentService;
 import io.helidon.security.Security;
 import io.helidon.security.SecurityContext;
 import io.helidon.security.Subject;
-import io.helidon.webserver.security.SecurityFeature;
 import io.helidon.security.providers.google.login.GoogleTokenProvider;
+import io.helidon.webserver.WebServer;
+import io.helidon.webserver.WebServerConfig;
+import io.helidon.webserver.context.ContextFeature;
+import io.helidon.webserver.security.SecurityFeature;
+import io.helidon.webserver.staticcontent.StaticContentService;
 
 /**
  * Google login button example main class using builders.
@@ -55,11 +55,14 @@ public final class GoogleMain {
                 .addProvider(GoogleTokenProvider.builder()
                         .clientId("your-client-id.apps.googleusercontent.com"))
                 .build();
-        server.routing(routing -> routing
+        server.featuresDiscoverServices(false)
                 .addFeature(ContextFeature.create())
-                .addFeature(SecurityFeature.create(security))
+                .addFeature(SecurityFeature.builder()
+                                    .security(security)
+                                    .build())
+                .routing(routing -> routing
                 .get("/rest/profile", SecurityFeature.authenticate(),
-                        (req, res) -> {
+                     (req, res) -> {
                             Optional<SecurityContext> securityContext = req.context().get(SecurityContext.class);
                             res.headers().contentType(HttpMediaTypes.PLAINTEXT_UTF_8);
                             res.send("Response from builder based service, you are: \n" + securityContext
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/JwtOverrideService.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/JwtOverrideService.java.mustache
index cccdea39d02..5297e9d6de2 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/JwtOverrideService.java.mustache
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/JwtOverrideService.java.mustache
@@ -1,5 +1,7 @@
 package {{package}};
 
+import io.helidon.security.EndpointConfig;
+import io.helidon.security.SecurityContext;
 import io.helidon.webclient.http1.Http1Client;
 import io.helidon.webclient.security.WebClientSecurity;
 import io.helidon.webserver.WebServer;
@@ -7,8 +9,6 @@ import io.helidon.webserver.http.HttpRules;
 import io.helidon.webserver.http.HttpService;
 import io.helidon.webserver.http.ServerRequest;
 import io.helidon.webserver.http.ServerResponse;
-import io.helidon.security.SecurityContext;
-import io.helidon.security.providers.jwt.JwtProvider;
 
 final class JwtOverrideService implements HttpService {
 
@@ -32,7 +32,7 @@ final class JwtOverrideService implements HttpService {
                 .orElseThrow(() -> new RuntimeException("WebServer not found in context"));
 
         String result = client.get("http://localhost:" + server.port("backend") + "/hello")
-                .property(JwtProvider.EP_PROPERTY_OUTBOUND_USER, "jill")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jill")
                 .requestEntity(String.class);
 
         res.send("You are: " + context.userName() + ", backend service returned: " + result);
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache
index 1dc258ca079..d522e37352b 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache
@@ -2,16 +2,15 @@ package {{package}};
 
 import java.util.concurrent.TimeUnit;
 
-import io.helidon.http.Header;
 import io.helidon.config.Config;
 import io.helidon.config.ConfigSources;
-import io.helidon.webserver.WebServer;
-import io.helidon.webserver.WebServerConfig;
-import io.helidon.webserver.context.ContextFeature;
+import io.helidon.http.HeaderNames;
 import io.helidon.security.Principal;
 import io.helidon.security.SecurityContext;
 import io.helidon.security.Subject;
-import io.helidon.webserver.security.SecurityFeature;
+import io.helidon.webserver.WebServer;
+import io.helidon.webserver.WebServerConfig;
+import io.helidon.webserver.security.SecurityHttpFeature;
 
 /**
  * Creates two services.
@@ -72,19 +71,17 @@ public final class OutboundOverrideJwt {
         Config backendConfig = Config.create(ConfigSources.classpath("backend-service-jwt.yaml"));
 
         server.routing(routing -> routing
-                        .addFeature(ContextFeature.create())
-                        .addFeature(SecurityFeature.create(clientConfig.get("security")))
+                        .addFeature(SecurityHttpFeature.create(clientConfig.get("security.web-server")))
                         .register(new JwtOverrideService()))
 
                 // backend that prints the current user
                 .putSocket("backend", socket -> socket
                         .routing(routing -> routing
-                                .addFeature(ContextFeature.create())
-                                .addFeature(SecurityFeature.create(backendConfig.get("security")))
+                                .addFeature(SecurityHttpFeature.create(backendConfig.get("security.web-server")))
                                 .get("/hello", (req, res) -> {
 
                                     // This is the token. It should be bearer <signed JWT base64 encoded>
-                                    req.headers().first(Header.AUTHORIZATION)
+                                    req.headers().first(HeaderNames.AUTHORIZATION)
                                             .ifPresent(System.out::println);
 
                                     String username = req.context()
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache
index 76a4614d00f..0dfa4204d45 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache
@@ -10,14 +10,9 @@ import java.util.concurrent.TimeUnit;
 
 import io.helidon.common.configurable.Resource;
 import io.helidon.common.pki.Keys;
-import io.helidon.webserver.WebServer;
-import io.helidon.webserver.WebServerConfig;
-import io.helidon.webserver.context.ContextFeature;
-import io.helidon.webserver.http.HttpRouting;
 import io.helidon.security.CompositeProviderFlag;
 import io.helidon.security.CompositeProviderSelectionPolicy;
 import io.helidon.security.Security;
-import io.helidon.webserver.security.SecurityFeature;
 import io.helidon.security.providers.common.OutboundConfig;
 import io.helidon.security.providers.common.OutboundTarget;
 import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
@@ -25,11 +20,15 @@ import io.helidon.security.providers.httpauth.SecureUserStore;
 import io.helidon.security.providers.httpsign.HttpSignProvider;
 import io.helidon.security.providers.httpsign.InboundClientDefinition;
 import io.helidon.security.providers.httpsign.OutboundTargetDefinition;
+import io.helidon.webserver.WebServer;
+import io.helidon.webserver.WebServerConfig;
+import io.helidon.webserver.http.HttpRouting;
+import io.helidon.webserver.security.SecurityFeature;
+import io.helidon.webserver.security.SecurityHttpFeature;
 
 /**
  * Example of authentication of service with http signatures, using configuration file as much as possible.
  */
-@SuppressWarnings("DuplicatedCode")
 public class SignatureMain {
 
     private static final Map<String, SecureUserStore.User> USERS = new HashMap<>();
@@ -110,20 +109,18 @@ public class SignatureMain {
     }
 
     private static void routing2(HttpRouting.Builder routing) {
-        SecurityFeature security = SecurityFeature.create(security2())
+        SecurityHttpFeature security = SecurityHttpFeature.create(security2())
                 .securityDefaults(SecurityFeature.authenticate());
 
-        routing.addFeature(ContextFeature.create())
-                .addFeature(security)
+        routing.addFeature(security)
                 .get("/service2*", SecurityFeature.rolesAllowed("user"))
                 .register(new Service2());
     }
 
     private static void routing1(HttpRouting.Builder routing) {
-        SecurityFeature security = SecurityFeature.create(security1())
+        SecurityHttpFeature security = SecurityHttpFeature.create(security1())
                 .securityDefaults(SecurityFeature.authenticate());
-        routing.addFeature(ContextFeature.create())
-                .addFeature(security)
+        routing.addFeature(security)
                 .get("/service1*", SecurityFeature.rolesAllowed("user"))
                 .register(new Service1());
     }
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/index-google.html b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/index-google.html
new file mode 100644
index 00000000000..92ddcd61e89
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/index-google.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html ng-app="g">
+<head>
+    <title>Google Login Provider</title>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="initial-scale=1, maximum-scale=1">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <!--
+    This client ID works only for localhost:8080, if you want to try more, create your own application
+    Also change the client-id configured in application.conf
+    -->
+    <meta name="google-signin-client_id" content="your-client-id.apps.googleusercontent.com">
+
+    <!-- Latest CSS -->
+    <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
+          integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
+</head>
+<body>
+<!-- Angular.js -->
+<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js"></script>
+<!-- This application's javascript -->
+<script type="text/javascript" src="static/js/google-app.js"></script>
+<!-- Google API -->
+<script src="https://apis.google.com/js/platform.js" async defer></script>
+
+<script type="text/javascript">
+    function onSignIn(googleUser) {
+        var profile = googleUser.getBasicProfile();
+        var id_token = googleUser.getAuthResponse().id_token;
+        var elem = document.getElementById('gat_input');
+        elem.value = id_token;
+        console.log('Bearer ' + id_token);
+        console.log('ID: ' + profile.getId()); // Do not send to your backend! Use an ID token instead.
+        console.log('Name: ' + profile.getName());
+        console.log('Image URL: ' + profile.getImageUrl());
+        console.log('Email: ' + profile.getEmail()); // This is null if the 'email' scope is not present.
+        console.log('Expires in ' + googleUser.getAuthResponse().expires_in + ' seconds');
+        console.log('Expiry: ' + googleUser.getAuthResponse().expires_at);
+    }
+</script>
+
+<div id="app">
+    <table border="0" cellpadding="1" cellspacing="1">
+        <tr>
+            <td><p>Login to Google.</p></td>
+        </tr>
+        <tr>
+            <td>
+                <div class="g-signin2" data-onsuccess="onSignIn"></div>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <form name="privateForm"
+                      ng-submit="document.getElementById('gat_input').value() != '' && gCtrl.callBackend()" novalidate
+                      ng-controller="GoogleController as gCtrl">
+                    <input type="text" id="gat_input" ng-minlength="5" style="display: none;"/>
+                    <div class="form-footer">
+                        <button type="submit" class="btn btn-primary pull-right">Call backend</button>
+                    </div>
+                </form>
+            </td>
+        </tr>
+    </table>
+</div>
+
+</body>
+</html>
diff --git a/archetypes/helidon/src/main/archetype/common/files/src/main/resources/signing-jwk.json b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/signing-jwk.json
similarity index 100%
rename from archetypes/helidon/src/main/archetype/common/files/src/main/resources/signing-jwk.json
rename to archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/signing-jwk.json
diff --git a/archetypes/helidon/src/main/archetype/common/files/src/main/resources/verifying-jwk.json b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/verifying-jwk.json
similarity index 89%
rename from archetypes/helidon/src/main/archetype/common/files/src/main/resources/verifying-jwk.json
rename to archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/verifying-jwk.json
index 09df45ed5b0..5bfc903024a 100644
--- a/archetypes/helidon/src/main/archetype/common/files/src/main/resources/verifying-jwk.json
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/verifying-jwk.json
@@ -2,7 +2,7 @@
     "keys": [
         {
             "kty": "oct",
-            "kid": "example",
+            "kid": "helidon",
             "alg": "HS256",
             "key_ops": [
                 "sign",
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache
index 72b95d1a19b..5742a2af785 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache
@@ -2,16 +2,16 @@ package {{package}};
 
 import java.net.URI;
 
-import io.helidon.webserver.testing.junit5.ServerTest;
-import io.helidon.webserver.testing.junit5.SetUpServer;
+import io.helidon.security.EndpointConfig;
+import io.helidon.security.Security;
+import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
 import io.helidon.webclient.http1.Http1Client;
-import io.helidon.webclient.http1.Http1ClientRequest;
 import io.helidon.webclient.http1.Http1ClientResponse;
 import io.helidon.webclient.security.WebClientSecurity;
 import io.helidon.webserver.WebServer;
 import io.helidon.webserver.WebServerConfig;
-import io.helidon.security.Security;
-import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
+import io.helidon.webserver.testing.junit5.ServerTest;
+import io.helidon.webserver.testing.junit5.SetUpServer;
 
 import org.junit.jupiter.api.Test;
 
@@ -46,8 +46,8 @@ public class OutboundOverrideJwtTest {
     public void testOverrideExample() {
         try (Http1ClientResponse response = client.get()
                 .path("/override")
-                .property(HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_USER, "jack")
-                .property(HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_PASSWORD, "password")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
                 .request()) {
 
             assertThat(response.status().code(), is(200));
@@ -61,8 +61,8 @@ public class OutboundOverrideJwtTest {
     public void testPropagateExample() {
         try (Http1ClientResponse response = client.get()
                 .path("/propagate")
-                .property(HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_USER, "jack")
-                .property(HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_PASSWORD, "password")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
                 .request()) {
 
             assertThat(response.status().code(), is(200));
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache
index 2f03ecf9751..bdd4e56be1d 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache
+++ b/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache
@@ -13,8 +13,8 @@ import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
 
 import org.junit.jupiter.api.Test;
 
-import static io.helidon.security.providers.httpauth.HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_PASSWORD;
-import static io.helidon.security.providers.httpauth.HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_USER;
+import static io.helidon.security.EndpointConfig.PROPERTY_OUTBOUND_SECRET;
+import static io.helidon.security.EndpointConfig.PROPERTY_OUTBOUND_ID;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.is;
@@ -50,8 +50,8 @@ public abstract class SignatureMainTest {
 
     private void test(String uri, Set<String> expectedRoles, Set<String> invalidRoles, String service) {
         try (Http1ClientResponse response = client.get(uri)
-                .property(EP_PROPERTY_OUTBOUND_USER, "jack")
-                .property(EP_PROPERTY_OUTBOUND_PASSWORD, "password")
+                .property(PROPERTY_OUTBOUND_ID, "jack")
+                .property(PROPERTY_OUTBOUND_SECRET, "password")
                 .request()) {
 
             assertThat(response.status().code(), is(200));
diff --git a/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml b/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml
new file mode 100644
index 00000000000..fc134386516
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml
@@ -0,0 +1,395 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2023 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<archetype-script xmlns="https://helidon.io/archetype/2.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="https://helidon.io/archetype/2.0 https://helidon.io/xsd/archetype-2.0.xsd">
+    <methods>
+        <method name="security-oidc">
+            <output if="${security.atn} contains ['oidc']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value><![CDATA[
+  - oidc:
+      client-id: "your-client-id"
+      client-secret: "your-client-secret"
+      identity-uri: "https://your-tenant-id.identity.oracle.com"
+      # A prefix used for custom scopes
+      scope-audience: "http://localhost:7987/test-application"
+      proxy-host: ""
+      # Used as a base for redirects back to us (based on Host header now, so no need to explicitly define it)
+      # If explicitly defined, will override host header
+      # frontend-uri: "http://localhost:7987"
+      # support for non-public signature JWK (and maybe other IDCS specific handling)
+      server-type: "idcs"
+      logout-enabled: true
+      # Can define just a path, host will be taken from header
+      post-logout-uri: "/loggedout"
+      # We want to redirect to login page (and token can be received either through cookie or header)
+      redirect: true
+  - idcs-role-mapper:
+      multitenant: false
+      oidc-config:
+        # we must repeat IDCS configuration, as in this case
+        # IDCS serves both as open ID connect authenticator and
+        # as a role mapper. Using minimal configuration here
+        client-id: "your-client-id"
+        client-secret: "your-client-secret"
+        identity-uri: "https://your-tenant-id.identity.oracle.com"]]></value>
+                    </list>
+                    <list key="paths-config-entries">
+                        <value><![CDATA[   - path: "/rest/profile"
+             methods: ["get"]
+             authenticate: true
+             roles-allowed: ["my_admins"]]]></value>
+                    </list>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.security.providers</value>
+                            <value key="artifactId">helidon-security-providers-oidc</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.security.providers</value>
+                            <value key="artifactId">helidon-security-providers-idcs-mapper</value>
+                        </map>
+                    </list>
+                    <list key="Main-java-imports">
+                        <value>java.util.Optional</value>
+                    </list>
+                    <list key="Main-helidon-imports">
+                        <value>io.helidon.common.context.Contexts</value>
+                        <value>io.helidon.http.HttpMediaTypes</value>
+                        <value>io.helidon.security.Security</value>
+                        <value>io.helidon.security.SecurityContext</value>
+                        <value>io.helidon.security.Subject</value>
+                        <value>io.helidon.security.providers.oidc.OidcFeature</value>
+                    </list>
+                    <list key="Main-main">
+                        <value><![CDATA[
+        Security security = Security.create(config.get("security"));
+        // this is needed for proper encryption/decryption of cookies
+        Contexts.globalContext().register(security);
+]]></value>
+                    </list>
+                    <list key="Main-routing">
+                        <value><![CDATA[
+        if (Config.global().get("security.enabled").asBoolean().orElse(true)) {
+            // IDCS requires a web resource for redirects
+            routing.addFeature(OidcFeature.create(Config.global()));
+        }
+]]></value>
+                    </list>
+                    <list key="Main-routing-builder">
+                        <value><![CDATA[// web server does not (yet) have possibility to configure routes in config files, so explicit...
+                        .get("/rest/profile", (req, res) -> {
+                            Optional<SecurityContext> securityContext = req.context().get(SecurityContext.class);
+                            res.headers().contentType(HttpMediaTypes.PLAINTEXT_UTF_8);
+                            res.send("Response from config based service, you are: \n" + securityContext
+                                    .flatMap(SecurityContext::user)
+                                    .map(Subject::toString)
+                                    .orElse("Security context is null"));
+                        })
+                        .get("/loggedout", (req, res) -> res.send("You have been logged out"))]]></value>
+                    </list>
+                    <list key="module-requires">
+                        <value>io.helidon.security</value>
+                        <value>io.helidon.security.providers.oidc</value>
+                    </list>
+                    <list key="readme-sections">
+                        <value><![CDATA[
+## Security integration with IDCS
+
+This example demonstrates integration with IDCS (Oracle identity service, integrated with Open ID Connect provider).
+
+### Code Configuration
+
+Edit application.yaml for IdcsMain.java or OidcConfig variable definition for IdcsBuilderMain.java sample
+
+ 1. idcs-uri  : Base URL of your idcs instance, usually something like https://idcs-<longnumber>.identity.oraclecloud.com
+ 2. idcs-client-id  : This is obtained from your IDCS application in the IDCS console
+ 3. idcs-client-secret   : This is obtained from your IDCS application in the IDCS console
+ 4. frontend-uri : This is the base URL of your application when run, e.g. `http://localhost:7987`
+ 5. proxy-host   : Your proxy server if needed
+ 6. scope-audience : This is the scope audience which MUST match the primary audience in the IDCS resource, recommendation is not to have a trailing slash (/)
+
+## Try the application
+
+Build and run the application and then try the endpoints:
+
+1. Open http://localhost:7987/rest/profile in your browser. This should present
+ you with a response highlighting your logged in role (null) correctly as you are not logged in
+2. Open `http://localhost:7987/oidc/logout` in your browser. This will log you out from your IDCS and Helidon sessions
+]]></value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-google">
+            <output if="${security.atn} contains ['google']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>src/*/java/**/GoogleMain.java.mustache</include>
+                        <include>src/*/java/**/GoogleMainTest.java.mustache</include>
+                    </includes>
+                </templates>
+                <files>
+                    <directory>files</directory>
+                    <includes>
+                        <include>src/*/resources/**/static.js/google-app.js</include>
+                    </includes>
+                </files>
+                <file source="files/src/main/resources/WEB/index-google.html" target="src/main/resources/WEB/index.html"/>
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.bundles</value>
+                            <value key="artifactId">helidon-bundles-config</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.webserver</value>
+                            <value key="artifactId">helidon-webserver-static-content</value>
+                        </map>
+                    </list>
+                    <list key="security-properties">
+                        <value><![CDATA[    google-client-id: "your-app-id.apps.googleusercontent.com"
+    proxy-host: ""]]></value>
+                    </list>
+                    <list key="providers-config-entries">
+                        <value><![CDATA[    - google-login:
+        # Create your own application in Google developer console
+        # Also update the client id configured in header of index.html
+        # Detailed how-to for login button (including links how to create an application):
+        # https://developers.google.com/identity/sign-in/web/sign-in
+        client-id: "your-app-id.apps.googleusercontent.com"
+        # Defaults for Helidon
+        # realm: "helidon"
+        # Configure proxy host if needed
+        proxy-host: ""
+        # proxy-port: 80
+
+        # This is the default for GoogleTokenProvider
+        #token:
+        #  header: "Authorization"
+        # or do not specify - then the whole header is considered to be the token value
+        #  prefix: "bearer "
+        # optional alternative - looking for first matching group
+        #  regexp: "bearer (.*)"
+        #}]]></value>
+                    </list>
+                    <list key="readme-sections" >
+                        <value template="mustache"><![CDATA[
+## Try Google login
+
+There is a static web page in src/main/resources/WEB with a page to login to Google.
+
+This example requires a Google client id to run.
+Update the following files with your client id (it should support http://localhost:8080):
+1. src/main/resources/application.yaml - set security.properties.google-client-id or override it in a file in ~/helidon/examples.yaml
+2. src/main/resources/WEB/index.html - update the meta tag in header with name "google-signin-client_id"
+3. src/main/java/io/helidon/security/examples/google/GoogleMain.java - update the client id in builder of provider
+
+## Exercise Google example
+```bash
+java -cp target/{{artifactId}}.jar {{package}}.GoogleMain
+```
+]]></value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-jwt">
+            <output if="${security.atn} contains ['jwt']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>src/*/java/**/OutboundOverrideJwt.java.mustache</include>
+                        <include>src/*/java/**/OutboundOverrideJwtTest.java.mustache</include>
+                        <include>src/*/java/**/JwtOverrideService.java.mustache</include>
+                    </includes>
+                </templates>
+                <files>
+                    <directory>files</directory>
+                    <includes>
+                        <include>src/*/resources/**/backend-service-jwt.yaml</include>
+                        <include>src/*/resources/**/client-service-jwt.yaml</include>
+                        <include>src/*/resources/**/signing-jwk.json</include>
+                        <include>src/*/resources/**/verifying-jwk.json</include>
+                    </includes>
+                </files>
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.webclient</value>
+                            <value key="artifactId">helidon-webclient-security</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.security.providers</value>
+                            <value key="artifactId">helidon-security-providers-http-auth</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.security.providers</value>
+                            <value key="artifactId">helidon-security-providers-jwt</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.bundles</value>
+                            <value key="artifactId">helidon-bundles-config</value>
+                        </map>
+                    </list>
+                    <list key="providers-config-entries">
+                        <value file="files/application.jwt.yaml"/>
+                    </list>
+                    <list key="module-requires">
+                        <value>io.helidon.webclient.security</value>
+                        <value>io.helidon.security.providers.jwt</value>
+                        <value>io.helidon.webclient.http1</value>
+                    </list>
+                    <list key="readme-sections">
+                        <value template="mustache"><![CDATA[
+## Try JWT
+
+Run the application:
+```bash
+java -cp target/{{artifactId}}.jar {{package}}.OutboundOverrideJwt
+```
+
+Try the endpoints:
+```bash
+curl -u "jack:password" http://localhost:8080/propagate
+curl -u "jack:password" http://localhost:8080/override
+curl -u "jill:anotherPassword" http://localhost:8080/propagate
+curl -u "jill:anotherPassword" http://localhost:8080/override
+```
+]]></value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-signature">
+            <output if="${security.atn} contains ['http-signature']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>src/*/java/**/Service1.java.mustache</include>
+                        <include>src/*/java/**/Service2.java.mustache</include>
+                        <include>src/*/java/**/SignatureMain.java.mustache</include>
+                        <include>src/*/java/**/SignatureMainTest.java.mustache</include>
+                    </includes>
+                </templates>
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.webclient</value>
+                            <value key="artifactId">helidon-webclient-security</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.bundles</value>
+                            <value key="artifactId">helidon-bundles-security</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.config</value>
+                            <value key="artifactId">helidon-config-hocon</value>
+                        </map>
+                    </list>
+                    <list key="module-requires">
+                        <value>io.helidon.webclient.http1</value>
+                        <value>io.helidon.common.pki</value>
+                        <value>io.helidon.webserver.context</value>
+                        <value>io.helidon.security.providers.common</value>
+                        <value>io.helidon.security.providers.httpauth</value>
+                        <value>io.helidon.security.providers.httpsign</value>
+                    </list>
+                    <list key="readme-sections">
+                        <value template="mustache"><![CDATA[
+## Try Signature
+
+```bash
+mvn package
+java -cp target/{{artifactId}}.jar {{package}}.SignatureMain
+```
+
+Try the endpoints:
+```bash
+curl -u "jack:password" http://localhost:8080/service1
+curl -u "jill:password" http://localhost:8080/service1-rsa
+curl -v -u "john:password" http://localhost:8080/service1
+```
+]]></value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-abac">
+            <output if="${security.atz} contains ['abac']">
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.security.abac</value>
+                            <value key="artifactId">helidon-security-abac-scope</value>
+                        </map>
+                        <map>
+                            <value key="groupId">io.helidon.security.abac</value>
+                            <value key="artifactId">helidon-security-abac-role</value>
+                        </map>
+                    </list>
+                </model>
+            </output>
+        </method>
+    </methods>
+    <call method="security-oidc"/>
+    <call method="security-google"/>
+    <call method="security-jwt"/>
+    <call method="security-signature"/>
+    <call method="security-abac"/>
+    <output>
+        <model>
+            <list key="dependencies">
+                <map>
+                    <value key="groupId">io.helidon.webserver</value>
+                    <value key="artifactId">helidon-webserver-security</value>
+                </map>
+            </list>
+            <list key="application-test-yaml-entries">
+                <value><![CDATA[
+security:
+  enabled: false
+]]></value>
+            </list>
+            <list key="module-requires">
+                <value>io.helidon.security.integration.common</value>
+                <value>io.helidon.webserver.security</value>
+            </list>
+            <list key="application-yaml-entries" if="!(${security.atn} == [ 'http-signature' ])">
+                <value template="mustache"><![CDATA[
+{{#security}}
+
+security:
+  config.require-encryption: false
+  properties:
+{{#security-properties}}
+{{.}}
+{{/security-properties}}
+  providers:
+{{#providers-config-entries}}
+{{.}}
+{{/providers-config-entries}}
+{{/security}}]]></value>
+            </list>
+        </model>
+    </output>
+</archetype-script>
diff --git a/archetypes/helidon/src/main/archetype/se/custom/security.xml b/archetypes/helidon/src/main/archetype/se/custom/security.xml
deleted file mode 100644
index 7bccd44854a..00000000000
--- a/archetypes/helidon/src/main/archetype/se/custom/security.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    Copyright (c) 2023 Oracle and/or its affiliates.
-
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-
-        http://www.apache.org/licenses/LICENSE-2.0
-
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
-
--->
-<archetype-script xmlns="https://helidon.io/archetype/2.0"
-                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                  xsi:schemaLocation="https://helidon.io/archetype/2.0 https://helidon.io/xsd/archetype-2.0.xsd">
-    <output>
-        <templates engine="mustache" transformations="mustache,packaged" if="${security}">
-            <directory>files</directory>
-            <includes>
-                <include if="${security.atn} == 'jwt'">src/*/java/**/OutboundOverrideJwtExample.java.mustache</include>
-                <include if="${security.atn} == 'jwt'">src/*/java/**/OutboundOverrideJwtExampleTest.java.mustache</include>
-                <include if="${security.atn} == 'jwt'">src/*/java/**/JwtOverrideService.java.mustache</include>
-                <include if="${security.atn} == 'google'">src/*/java/**/GoogleMain.java.mustache</include>
-                <include if="${security.atn} == 'google'">src/*/java/**/GoogleMainTest.java.mustache</include>
-                <include if="${security.atn} == 'http-signature'">src/*/java/**/Service1.java.mustache</include>
-                <include if="${security.atn} == 'http-signature'">src/*/java/**/Service2.java.mustache</include>
-                <include if="${security.atn} == 'http-signature'">src/*/java/**/SignatureMain.java.mustache</include>
-                <include if="${security.atn} == 'http-signature'">src/*/java/**/SignatureMainTest.java.mustache</include>
-                <include>/**/trick-to-avoid-empty-tag</include>
-            </includes>
-        </templates>
-        <templates engine="mustache" transformations="mustache" if="${security}">
-            <directory>files</directory>
-            <includes>
-                <include if="${security.atn} == 'jwt'">src/*/resources/**/backend-service-jwt.yaml</include>
-                <include if="${security.atn} == 'jwt'">src/*/resources/**/client-service-jwt.yaml</include>
-                <include if="${security.atn} == 'google'">src/*/resources/**/google.js/google-app.js</include>
-                <include>/**/trick-to-avoid-empty-tag</include>
-            </includes>
-        </templates>
-    </output>
-</archetype-script>

From 73fbcc3b356d5b624420c71bc80ffe3886a49a3f Mon Sep 17 00:00:00 2001
From: tvallin <thibault.vallin@oracle.com>
Date: Wed, 8 Nov 2023 11:43:07 +0100
Subject: [PATCH 2/3] improve OIDC generated code

Signed-off-by: tvallin <thibault.vallin@oracle.com>
---
 .../mp/custom/files/application.oidc.yaml     | 29 ++++++++++---------
 .../java/__pkg__/OidcResource.java.mustache   | 27 +++++++++++++++++
 .../archetype/mp/custom/security-outputs.xml  | 20 +++++++++++++
 3 files changed, 62 insertions(+), 14 deletions(-)
 create mode 100644 archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/OidcResource.java.mustache

diff --git a/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml b/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
index cfd8a1b9e3a..5f3f2aff3e1 100644
--- a/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
+++ b/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
@@ -1,15 +1,16 @@
     - oidc:
-        client-id: "client-id-of-this-service"
-        # See [EncryptionFilter](https://helidon.io/docs/latest/apidocs/io.helidon.config.encryption/io/helidon/config/encryption/EncryptionFilter.html) for details about encrypting passwords in configuration files.
-        client-secret: "client-secret-of-this-service"
-        identity-uri: "http://your-tenant.identity-server.com"
-        frontend-uri: "http://my-service:8080"
-        audience: "http://my-service"
-        cors:
-          allow-origins: ["http://foo.com", "http://there.com"]
-          allow-methods: ["PUT", "DELETE"]
-        outbound:
-          - name: "internal-services"
-            hosts: ["*.example.org"]
-            outbound-token:
-              header: "X-Internal-Auth"
+        # use a custom name, so it does not clash with other examples
+        cookie-name: "OIDC_EXAMPLE_COOKIE"
+        # support for "Authorization" header with bearer token
+        header-use: true
+        # the default redirect-uri, where the webserver listens on redirects from identity server
+        redirect-uri: "/oidc/redirect"
+        issuer: "https://tenant.some-server.com/oauth2/default"
+        audience: "configured audience"
+        client-id: "some client id"
+        client-secret: "some client secret"
+        identity-uri: "https://tenant.some-server.com/oauth2/default"
+        frontend-uri: "http://localhost:7987"
+        server-type: "@default"
+        # We want to redirect to login page (and token can be received either through cookie or header)
+        redirect: true
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/OidcResource.java.mustache b/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/OidcResource.java.mustache
new file mode 100644
index 00000000000..0d132a18ded
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/OidcResource.java.mustache
@@ -0,0 +1,27 @@
+package {{package}};
+
+import io.helidon.security.SecurityContext;
+import io.helidon.security.annotations.Authenticated;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.core.Context;
+
+/**
+ * A simple JAX-RS resource with a single GET method.
+ */
+@Path("/test")
+public class OidcResource {
+
+    /**
+     * Hello world using security context.
+     * @param securityContext context as established during login
+     * @return a string with current username
+     */
+    @Authenticated
+    @GET
+    public String getIt(@Context SecurityContext securityContext) {
+        return "Hello " + securityContext.userName();
+    }
+
+}
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml b/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
index 0b5c77facfa..877d7d94869 100644
--- a/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
+++ b/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
@@ -22,6 +22,12 @@
     <methods>
         <method name="security-oidc">
             <output if="${security.atn} contains ['oidc']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>**/OidcResource.java.mustache</include>
+                    </includes>
+                </templates>
                 <model>
                     <list key="dependencies">
                         <map>
@@ -32,6 +38,20 @@
                     <list key="providers-config-entries">
                         <value file="files/application.oidc.yaml"/>
                     </list>
+                    <list key="module-requires">
+                        <value>io.helidon.security</value>
+                        <value>io.helidon.security.annotations</value>
+                    </list>
+                    <list key="readme-sections">
+                        <value><![CDATA[
+## Security integration with OIDC
+
+This example demonstrates integration with OIDC (Open ID Connect) providers.
+
+To configure it, you need to replace the default values from configuration
+to your tenant and application configuration.
+]]></value>
+                    </list>
                 </model>
             </output>
         </method>

From 765157016c73cf58082bb288bcfd3898bbd5f927 Mon Sep 17 00:00:00 2001
From: tvallin <thibault.vallin@oracle.com>
Date: Fri, 10 Nov 2023 10:18:59 +0100
Subject: [PATCH 3/3] remove main security main class + rename google
 index.html

Signed-off-by: tvallin <thibault.vallin@oracle.com>
---
 .../common/files/application.abac.yaml        |  34 --
 .../src/main/archetype/common/security.xml    |   3 -
 .../mp/custom/files/application.abac.yaml     |   3 +
 .../mp/custom/files/application.oidc.yaml     |  32 +-
 .../archetype/mp/custom/security-outputs.xml  |  10 +
 .../main/archetype/se/common/common-se.xml    |   7 +
 .../java/__pkg__/GoogleMain.java.mustache     |  76 ----
 .../__pkg__/OutboundOverrideJwt.java.mustache |  97 ------
 .../java/__pkg__/SignatureMain.java.mustache  | 218 ------------
 .../{index-google.html => google-login.html}  |   0
 .../java/__pkg__/GoogleMainTest.java.mustache |  44 ---
 .../archetype/se/custom/security-outputs.xml  | 324 ++++++++++++++++--
 12 files changed, 327 insertions(+), 521 deletions(-)
 delete mode 100644 archetypes/helidon/src/main/archetype/common/files/application.abac.yaml
 create mode 100644 archetypes/helidon/src/main/archetype/mp/custom/files/application.abac.yaml
 delete mode 100644 archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache
 delete mode 100644 archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache
 delete mode 100644 archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache
 rename archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/{index-google.html => google-login.html} (100%)
 delete mode 100644 archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/GoogleMainTest.java.mustache

diff --git a/archetypes/helidon/src/main/archetype/common/files/application.abac.yaml b/archetypes/helidon/src/main/archetype/common/files/application.abac.yaml
deleted file mode 100644
index 432b05d3d9f..00000000000
--- a/archetypes/helidon/src/main/archetype/common/files/application.abac.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-  - abac:
-    # prepares environment
-    # executes attribute validations
-    # validates that attributes were processed
-    # grants/denies access to resource
-    #
-    ####
-    # Combinations:
-    # # Will fail if any attribute is not validated and if any has failed validation
-    # fail-on-unvalidated: true
-    # fail-if-none-validated: true
-    #
-    # # Will fail if there is one or more attributes present and NONE of them is validated or if any has failed validation
-    # # Will NOT fail if there is at least one validated attribute and any number of not validated attributes (and NONE failed)
-    # fail-on-unvalidated: false
-    # fail-if-none-validated: true
-    #
-    # # Will fail if there is any attribute that failed validation
-    # # Will NOT fail if there are no failed validation or if there are NONE validated
-    # fail-on-unvalidated: false
-    # fail-if-none-validated: false
-    ####
-    # fail if an attribute was not validated (e.g. we do not know, whether it is valid or not)
-    # defaults to true
-    fail-on-unvalidated: true
-    # fail if none of the attributes were validated
-    # defaults to true
-    fail-if-none-validated: true
-#    policy-validator:
-#      validators:
-#      - class: "io.helidon.security.abac.policy.DefaultPolicyValidator"
-#      my-custom-policy-engine:
-#        some-key: "some value"
-#        another-key: "another value"
diff --git a/archetypes/helidon/src/main/archetype/common/security.xml b/archetypes/helidon/src/main/archetype/common/security.xml
index 232967c26a9..24eadb99f62 100644
--- a/archetypes/helidon/src/main/archetype/common/security.xml
+++ b/archetypes/helidon/src/main/archetype/common/security.xml
@@ -84,9 +84,6 @@
                         <option value="abac" name="ABAC" description="Attribute Based Access Control">
                             <output>
                                 <model>
-                                    <list key="providers-config-entries">
-                                        <value file="files/application.abac.yaml"/>
-                                    </list>
                                     <list key="dependencies">
                                         <map>
                                             <value key="groupId">io.helidon.security.providers</value>
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/files/application.abac.yaml b/archetypes/helidon/src/main/archetype/mp/custom/files/application.abac.yaml
new file mode 100644
index 00000000000..b24b2e8660d
--- /dev/null
+++ b/archetypes/helidon/src/main/archetype/mp/custom/files/application.abac.yaml
@@ -0,0 +1,3 @@
+  - abac:
+      fail-on-unvalidated: true
+      fail-if-none-validated: true
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml b/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
index 5f3f2aff3e1..850d884cc53 100644
--- a/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
+++ b/archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml
@@ -1,16 +1,16 @@
-    - oidc:
-        # use a custom name, so it does not clash with other examples
-        cookie-name: "OIDC_EXAMPLE_COOKIE"
-        # support for "Authorization" header with bearer token
-        header-use: true
-        # the default redirect-uri, where the webserver listens on redirects from identity server
-        redirect-uri: "/oidc/redirect"
-        issuer: "https://tenant.some-server.com/oauth2/default"
-        audience: "configured audience"
-        client-id: "some client id"
-        client-secret: "some client secret"
-        identity-uri: "https://tenant.some-server.com/oauth2/default"
-        frontend-uri: "http://localhost:7987"
-        server-type: "@default"
-        # We want to redirect to login page (and token can be received either through cookie or header)
-        redirect: true
+  - oidc:
+      # use a custom name, so it does not clash with other examples
+      cookie-name: "OIDC_EXAMPLE_COOKIE"
+      # support for "Authorization" header with bearer token
+      header-use: true
+      # the default redirect-uri, where the webserver listens on redirects from identity server
+      redirect-uri: "/oidc/redirect"
+      issuer: "https://tenant.some-server.com/oauth2/default"
+      audience: "configured audience"
+      client-id: "some client id"
+      client-secret: "some client secret"
+      identity-uri: "https://tenant.some-server.com/oauth2/default"
+      frontend-uri: "http://localhost:7987"
+      server-type: "@default"
+      # We want to redirect to login page (and token can be received either through cookie or header)
+      redirect: true
diff --git a/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml b/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
index 877d7d94869..93aa72fbe53 100644
--- a/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
+++ b/archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml
@@ -99,7 +99,17 @@ to your tenant and application configuration.
                 </model>
             </output>
         </method>
+        <method name="security-abac">
+            <output if="${security.atz} contains ['abac']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value file="files/application.abac.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
     </methods>
+    <call method="security-abac"/>
     <call method="security-oidc"/>
     <call method="security-jwt"/>
     <call method="security-google"/>
diff --git a/archetypes/helidon/src/main/archetype/se/common/common-se.xml b/archetypes/helidon/src/main/archetype/se/common/common-se.xml
index ad391521df8..8aa5442fb25 100644
--- a/archetypes/helidon/src/main/archetype/se/common/common-se.xml
+++ b/archetypes/helidon/src/main/archetype/se/common/common-se.xml
@@ -125,7 +125,14 @@
                 .build()
                 .start();
 
+        {{#Main-after-server}}
+        {{.}}
+        {{/Main-after-server}}
+
         System.out.println("WEB server is up! http://localhost:" + server.port() + "/simple-greet");
+        {{#Main-logging}}
+        {{.}}
+        {{/Main-logging}}
 ]]></value>
             </list>
             <list key="main-class-content">
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache
deleted file mode 100644
index 193c1727a8c..00000000000
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/GoogleMain.java.mustache
+++ /dev/null
@@ -1,76 +0,0 @@
-package {{package}};
-
-import java.util.Optional;
-import java.util.concurrent.TimeUnit;
-
-import io.helidon.http.HttpMediaTypes;
-import io.helidon.logging.common.LogConfig;
-import io.helidon.security.Security;
-import io.helidon.security.SecurityContext;
-import io.helidon.security.Subject;
-import io.helidon.security.providers.google.login.GoogleTokenProvider;
-import io.helidon.webserver.WebServer;
-import io.helidon.webserver.WebServerConfig;
-import io.helidon.webserver.context.ContextFeature;
-import io.helidon.webserver.security.SecurityFeature;
-import io.helidon.webserver.staticcontent.StaticContentService;
-
-/**
- * Google login button example main class using builders.
- */
-@SuppressWarnings({"SpellCheckingInspection", "DuplicatedCode"})
-public final class GoogleMain {
-
-    private GoogleMain() {
-    }
-
-    /**
-     * Start the example.
-     *
-     * @param args ignored
-     */
-    public static void main(String[] args) {
-        LogConfig.configureRuntime();
-        WebServerConfig.Builder builder = WebServerConfig.builder();
-        setup(builder);
-        WebServer server = builder.build();
-
-        long t = System.nanoTime();
-        server.start();
-        long time = System.nanoTime() - t;
-
-        System.out.printf("""
-                        Server started in %d ms
-                        Started server on localhost: %2$d
-                        You can access this example at http://localhost:%2$d/index.html
-
-                        Check application.yaml in case you are behind a proxy to configure it
-                        """,
-                TimeUnit.MILLISECONDS.convert(time, TimeUnit.NANOSECONDS),
-                server.port());
-    }
-
-    static void setup(WebServerConfig.Builder server) {
-        Security security = Security.builder()
-                .addProvider(GoogleTokenProvider.builder()
-                        .clientId("your-client-id.apps.googleusercontent.com"))
-                .build();
-        server.featuresDiscoverServices(false)
-                .addFeature(ContextFeature.create())
-                .addFeature(SecurityFeature.builder()
-                                    .security(security)
-                                    .build())
-                .routing(routing -> routing
-                .get("/rest/profile", SecurityFeature.authenticate(),
-                     (req, res) -> {
-                            Optional<SecurityContext> securityContext = req.context().get(SecurityContext.class);
-                            res.headers().contentType(HttpMediaTypes.PLAINTEXT_UTF_8);
-                            res.send("Response from builder based service, you are: \n" + securityContext
-                                    .flatMap(SecurityContext::user)
-                                    .map(Subject::toString)
-                                    .orElse("Security context is null"));
-                            res.next();
-                        })
-                .register(StaticContentService.create("/WEB")));
-    }
-}
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache
deleted file mode 100644
index d522e37352b..00000000000
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/OutboundOverrideJwt.java.mustache
+++ /dev/null
@@ -1,97 +0,0 @@
-package {{package}};
-
-import java.util.concurrent.TimeUnit;
-
-import io.helidon.config.Config;
-import io.helidon.config.ConfigSources;
-import io.helidon.http.HeaderNames;
-import io.helidon.security.Principal;
-import io.helidon.security.SecurityContext;
-import io.helidon.security.Subject;
-import io.helidon.webserver.WebServer;
-import io.helidon.webserver.WebServerConfig;
-import io.helidon.webserver.security.SecurityHttpFeature;
-
-/**
- * Creates two services.
- * First service invokes the second with outbound security.
- * There are two endpoints:
- * <ul>
- *     <li>One that does simple identity propagation and one that uses an explicit username</li>
- *     <li>One that uses basic authentication to authenticate users and JWT to propagate identity</li>
- * </ul>- one that does simple identity propagation and one that uses an explicit username.
- * <p>
- * The difference between this example and basic authentication example:
- * <ul>
- *     <li>Configuration files (this example uses ones with -jwt.yaml suffix)</li>
- *     <li>Client property used to override username</li>
- * </ul>
- */
-public final class OutboundOverrideJwt {
-
-    private OutboundOverrideJwt() {
-    }
-
-    /**
-     * Example that propagates identity and on one endpoint explicitly sets the username and password.
-     *
-     * @param args ignored
-     */
-    public static void main(String[] args) {
-        WebServerConfig.Builder builder = WebServer.builder();
-        setup(builder);
-        WebServer server = builder.build();
-
-        long t = System.nanoTime();
-        server.start();
-        long time = System.nanoTime() - t;
-
-        server.context().register(server);
-
-        System.out.printf("""
-                        Server started in %3$d ms
-
-                        ***********************
-                        ** Endpoints:        **
-                        ***********************
-
-                        http://localhost:%1$d/propagate
-                        http://localhost:%1$d/override
-
-                        Backend service started on: http://localhost:%2$d/hello
-
-                        """,
-                server.port(),
-                server.port("backend"),
-                TimeUnit.MILLISECONDS.convert(time, TimeUnit.NANOSECONDS));
-    }
-
-    static void setup(WebServerConfig.Builder server) {
-        Config clientConfig = Config.create(ConfigSources.classpath("client-service-jwt.yaml"));
-        Config backendConfig = Config.create(ConfigSources.classpath("backend-service-jwt.yaml"));
-
-        server.routing(routing -> routing
-                        .addFeature(SecurityHttpFeature.create(clientConfig.get("security.web-server")))
-                        .register(new JwtOverrideService()))
-
-                // backend that prints the current user
-                .putSocket("backend", socket -> socket
-                        .routing(routing -> routing
-                                .addFeature(SecurityHttpFeature.create(backendConfig.get("security.web-server")))
-                                .get("/hello", (req, res) -> {
-
-                                    // This is the token. It should be bearer <signed JWT base64 encoded>
-                                    req.headers().first(HeaderNames.AUTHORIZATION)
-                                            .ifPresent(System.out::println);
-
-                                    String username = req.context()
-                                            .get(SecurityContext.class)
-                                            .flatMap(SecurityContext::user)
-                                            .map(Subject::principal)
-                                            .map(Principal::getName)
-                                            .orElse("Anonymous");
-
-                                    res.send(username);
-                                })));
-    }
-}
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache
deleted file mode 100644
index 0dfa4204d45..00000000000
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/java/__pkg__/SignatureMain.java.mustache
+++ /dev/null
@@ -1,218 +0,0 @@
-package {{package}};
-
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.concurrent.TimeUnit;
-
-import io.helidon.common.configurable.Resource;
-import io.helidon.common.pki.Keys;
-import io.helidon.security.CompositeProviderFlag;
-import io.helidon.security.CompositeProviderSelectionPolicy;
-import io.helidon.security.Security;
-import io.helidon.security.providers.common.OutboundConfig;
-import io.helidon.security.providers.common.OutboundTarget;
-import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
-import io.helidon.security.providers.httpauth.SecureUserStore;
-import io.helidon.security.providers.httpsign.HttpSignProvider;
-import io.helidon.security.providers.httpsign.InboundClientDefinition;
-import io.helidon.security.providers.httpsign.OutboundTargetDefinition;
-import io.helidon.webserver.WebServer;
-import io.helidon.webserver.WebServerConfig;
-import io.helidon.webserver.http.HttpRouting;
-import io.helidon.webserver.security.SecurityFeature;
-import io.helidon.webserver.security.SecurityHttpFeature;
-
-/**
- * Example of authentication of service with http signatures, using configuration file as much as possible.
- */
-public class SignatureMain {
-
-    private static final Map<String, SecureUserStore.User> USERS = new HashMap<>();
-
-    static {
-        addUser("jack", "password", List.of("user", "admin"));
-        addUser("jill", "password", List.of("user"));
-        addUser("john", "password", List.of());
-    }
-
-    private SignatureMain() {
-    }
-
-    private static void addUser(String user, String password, List<String> roles) {
-        USERS.put(user, new SecureUserStore.User() {
-            @Override
-            public String login() {
-                return user;
-            }
-
-            char[] password() {
-                return password.toCharArray();
-            }
-
-            @Override
-            public boolean isPasswordValid(char[] password) {
-                return Arrays.equals(password(), password);
-            }
-
-            @Override
-            public Collection<String> roles() {
-                return roles;
-            }
-        });
-    }
-
-    /**
-     * Starts this example.
-     *
-     * @param args ignored
-     */
-    public static void main(String[] args) {
-        WebServerConfig.Builder builder = WebServer.builder();
-        setup(builder);
-        WebServer server = builder.build();
-        server.context().register(server);
-
-        long t = System.nanoTime();
-        server.start();
-        long time = System.nanoTime() - t;
-
-        System.out.printf("""
-                Server started in %1d ms
-
-                Signature example: from builder
-
-                Users:
-                jack/password in roles: user, admin
-                jill/password in roles: user
-                john/password in no roles
-
-                ***********************
-                ** Endpoints:        **
-                ***********************
-
-                Basic authentication, user role required, will use symmetric signatures for outbound:
-                  http://localhost:%2$d/service1
-                Basic authentication, user role required, will use asymmetric signatures for outbound:
-                  http://localhost:%3$d/service1-rsa
-
-                """, TimeUnit.MILLISECONDS.convert(time, TimeUnit.NANOSECONDS), server.port(), server.port("service2"));
-    }
-
-    static void setup(WebServerConfig.Builder server) {
-        server.routing(SignatureMain::routing1)
-                .putSocket("service2", socket -> socket
-                        .routing(SignatureMain::routing2));
-    }
-
-    private static void routing2(HttpRouting.Builder routing) {
-        SecurityHttpFeature security = SecurityHttpFeature.create(security2())
-                .securityDefaults(SecurityFeature.authenticate());
-
-        routing.addFeature(security)
-                .get("/service2*", SecurityFeature.rolesAllowed("user"))
-                .register(new Service2());
-    }
-
-    private static void routing1(HttpRouting.Builder routing) {
-        SecurityHttpFeature security = SecurityHttpFeature.create(security1())
-                .securityDefaults(SecurityFeature.authenticate());
-        routing.addFeature(security)
-                .get("/service1*", SecurityFeature.rolesAllowed("user"))
-                .register(new Service1());
-    }
-
-    private static Security security2() {
-        return Security.builder()
-                .providerSelectionPolicy(CompositeProviderSelectionPolicy
-                        .builder()
-                        .addAuthenticationProvider("http-signatures", CompositeProviderFlag.OPTIONAL)
-                        .addAuthenticationProvider("basic-auth")
-                        .build())
-                .addProvider(HttpBasicAuthProvider
-                                .builder()
-                                .realm("mic")
-                                .userStore(users()),
-                        "basic-auth")
-                .addProvider(HttpSignProvider.builder()
-                                .addInbound(InboundClientDefinition
-                                        .builder("service1-hmac")
-                                        .principalName("Service1 - HMAC signature")
-                                        .hmacSecret("somePasswordForHmacShouldBeEncrypted")
-                                        .build())
-                                .addInbound(InboundClientDefinition
-                                        .builder("service1-rsa")
-                                        .principalName("Service1 - RSA signature")
-                                        .publicKeyConfig(Keys.builder()
-                                                .keystore(k -> k
-                                                        .keystore(Resource.create("keystore.p12"))
-                                                        .passphrase("password")
-                                                        .certAlias("service_cert")
-                                                        .build())
-                                                .build())
-                                        .build()),
-                        "http-signatures")
-                .build();
-    }
-
-    private static Security security1() {
-        return Security.builder()
-                .providerSelectionPolicy(CompositeProviderSelectionPolicy
-                        .builder()
-                        .addOutboundProvider("basic-auth")
-                        .addOutboundProvider("http-signatures")
-                        .build())
-                .addProvider(HttpBasicAuthProvider
-                                .builder()
-                                .realm("mic")
-                                .userStore(users())
-                                .addOutboundTarget(OutboundTarget.builder("propagate-all").build()),
-                        "basic-auth")
-                .addProvider(HttpSignProvider
-                                .builder()
-                                .outbound(OutboundConfig
-                                        .builder()
-                                        .addTarget(hmacTarget())
-                                        .addTarget(rsaTarget())
-                                        .build()),
-                        "http-signatures")
-                .build();
-    }
-
-    private static OutboundTarget rsaTarget() {
-        return OutboundTarget.builder("service2-rsa")
-                .addHost("localhost")
-                .addPath("/service2-rsa.*")
-                .customObject(OutboundTargetDefinition.class,
-                        OutboundTargetDefinition.builder("service1-rsa")
-                                .privateKeyConfig(Keys.builder()
-                                        .keystore(k -> k
-                                                .keystore(Resource.create("keystore.p12"))
-                                                .passphrase("password")
-                                                .keyAlias("myPrivateKey")
-                                                .build())
-                                        .build())
-                                .build())
-                .build();
-    }
-
-    private static OutboundTarget hmacTarget() {
-        return OutboundTarget.builder("service2")
-                .addHost("localhost")
-                .addPath("/service2")
-                .customObject(
-                        OutboundTargetDefinition.class,
-                        OutboundTargetDefinition
-                                .builder("service1-hmac")
-                                .hmacSecret("somePasswordForHmacShouldBeEncrypted")
-                                .build())
-                .build();
-    }
-
-    private static SecureUserStore users() {
-        return login -> Optional.ofNullable(USERS.get(login));
-    }
-}
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/index-google.html b/archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/google-login.html
similarity index 100%
rename from archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/index-google.html
rename to archetypes/helidon/src/main/archetype/se/custom/files/src/main/resources/WEB/google-login.html
diff --git a/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/GoogleMainTest.java.mustache b/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/GoogleMainTest.java.mustache
deleted file mode 100644
index 38071538e0f..00000000000
--- a/archetypes/helidon/src/main/archetype/se/custom/files/src/test/java/__pkg__/GoogleMainTest.java.mustache
+++ /dev/null
@@ -1,44 +0,0 @@
-
-package {{package}};
-
-import io.helidon.http.HeaderNames;
-import io.helidon.http.Status;
-import io.helidon.webserver.testing.junit5.ServerTest;
-import io.helidon.webserver.testing.junit5.SetUpServer;
-import io.helidon.webclient.http1.Http1Client;
-import io.helidon.webclient.http1.Http1ClientResponse;
-import io.helidon.webserver.WebServerConfig;
-
-import org.junit.jupiter.api.Test;
-
-import static io.helidon.common.testing.junit5.OptionalMatcher.optionalValue;
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-
-/**
- * Unit test for {@link GoogleBuilderMain}.
- */
-@ServerTest
-public class GoogleMainTest {
-
-    private final Http1Client client;
-
-    GoogleMainTest(Http1Client client) {
-        this.client = client;
-    }
-
-    @SetUpServer
-    public static void setup(WebServerConfig.Builder server) {
-        GoogleMain.setup(server);
-    }
-
-    @Test
-    public void testEndpoint() {
-        try (Http1ClientResponse response = client.get("/rest/profile").request()) {
-
-            assertThat(response.status(), is(Status.UNAUTHORIZED_401));
-            assertThat(response.headers().first(HeaderNames.WWW_AUTHENTICATE),
-                    optionalValue(is("Bearer realm=\"helidon\",scope=\"openid profile email\"")));
-        }
-    }
-}
diff --git a/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml b/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml
index fc134386516..ea13511f7da 100644
--- a/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml
+++ b/archetypes/helidon/src/main/archetype/se/custom/security-outputs.xml
@@ -141,20 +141,13 @@ Build and run the application and then try the endpoints:
         </method>
         <method name="security-google">
             <output if="${security.atn} contains ['google']">
-                <templates engine="mustache" transformations="mustache,packaged">
-                    <directory>files</directory>
-                    <includes>
-                        <include>src/*/java/**/GoogleMain.java.mustache</include>
-                        <include>src/*/java/**/GoogleMainTest.java.mustache</include>
-                    </includes>
-                </templates>
                 <files>
                     <directory>files</directory>
                     <includes>
                         <include>src/*/resources/**/static.js/google-app.js</include>
                     </includes>
                 </files>
-                <file source="files/src/main/resources/WEB/index-google.html" target="src/main/resources/WEB/index.html"/>
+                <file source="files/src/main/resources/WEB/google-login.html" target="src/main/resources/WEB/google-login.html"/>
                 <model>
                     <list key="dependencies">
                         <map>
@@ -166,6 +159,55 @@ Build and run the application and then try the endpoints:
                             <value key="artifactId">helidon-webserver-static-content</value>
                         </map>
                     </list>
+                    <list key="Main-helidon-imports">
+                        <value>java.util.Optional</value>
+                    </list>
+                    <list key="Main-helidon-imports">
+                        <value>io.helidon.http.HttpMediaTypes</value>
+                        <value>io.helidon.security.Security</value>
+                        <value>io.helidon.security.SecurityContext</value>
+                        <value>io.helidon.security.Subject</value>
+                        <value>io.helidon.security.providers.google.login.GoogleTokenProvider</value>
+                        <value>io.helidon.webserver.WebServer</value>
+                        <value>io.helidon.webserver.WebServerConfig</value>
+                        <value>io.helidon.webserver.context.ContextFeature</value>
+                        <value>io.helidon.webserver.security.SecurityFeature</value>
+                        <value>io.helidon.webserver.staticcontent.StaticContentService</value>
+                    </list>
+                    <list key="Main-main">
+                        <value><![CDATA[
+        Security security = Security.builder()
+                .addProvider(GoogleTokenProvider.builder()
+                        .clientId("your-client-id.apps.googleusercontent.com"))
+                .build();
+]]></value>
+                    </list>
+                    <list key="Main-server-builder">
+                        <value><![CDATA[.featuresDiscoverServices(false)
+                .addFeature(ContextFeature.create())
+                .addFeature(SecurityFeature.builder()
+                                    .security(security)
+                                    .build())
+]]></value>
+                    </list>
+                    <list key="Main-routing-builder">
+                        <value><![CDATA[.get("/rest/profile", SecurityFeature.authenticate(),
+                 (req, res) -> {
+                        Optional<SecurityContext> securityContext = req.context().get(SecurityContext.class);
+                        res.headers().contentType(HttpMediaTypes.PLAINTEXT_UTF_8);
+                        res.send("Response from builder based service, you are: \n" + securityContext
+                                .flatMap(SecurityContext::user)
+                                .map(Subject::toString)
+                                .orElse("Security context is null"));
+                        res.next();
+                    })
+            .register(StaticContentService.create("/WEB"))
+]]></value>
+                    </list>
+                    <list key="Main-logging">
+                        <value><![CDATA[
+            System.out.println("Check Google login http://localhost:" + server.port() + "/google-login.html");]]></value>
+                    </list>
                     <list key="security-properties">
                         <value><![CDATA[    google-client-id: "your-app-id.apps.googleusercontent.com"
     proxy-host: ""]]></value>
@@ -203,11 +245,6 @@ Update the following files with your client id (it should support http://localho
 1. src/main/resources/application.yaml - set security.properties.google-client-id or override it in a file in ~/helidon/examples.yaml
 2. src/main/resources/WEB/index.html - update the meta tag in header with name "google-signin-client_id"
 3. src/main/java/io/helidon/security/examples/google/GoogleMain.java - update the client id in builder of provider
-
-## Exercise Google example
-```bash
-java -cp target/{{artifactId}}.jar {{package}}.GoogleMain
-```
 ]]></value>
                     </list>
                 </model>
@@ -218,8 +255,6 @@ java -cp target/{{artifactId}}.jar {{package}}.GoogleMain
                 <templates engine="mustache" transformations="mustache,packaged">
                     <directory>files</directory>
                     <includes>
-                        <include>src/*/java/**/OutboundOverrideJwt.java.mustache</include>
-                        <include>src/*/java/**/OutboundOverrideJwtTest.java.mustache</include>
                         <include>src/*/java/**/JwtOverrideService.java.mustache</include>
                     </includes>
                 </templates>
@@ -251,8 +286,57 @@ java -cp target/{{artifactId}}.jar {{package}}.GoogleMain
                             <value key="artifactId">helidon-bundles-config</value>
                         </map>
                     </list>
-                    <list key="providers-config-entries">
-                        <value file="files/application.jwt.yaml"/>
+                    <list key="Main-helidon-imports">
+                        <value>io.helidon.config.Config</value>
+                        <value>io.helidon.config.ConfigSources</value>
+                        <value>io.helidon.http.HeaderNames</value>
+                        <value>io.helidon.security.Principal</value>
+                        <value>io.helidon.security.SecurityContext</value>
+                        <value>io.helidon.security.Subject</value>
+                        <value>io.helidon.webserver.WebServer</value>
+                        <value>io.helidon.webserver.WebServerConfig</value>
+                        <value>io.helidon.webserver.security.SecurityHttpFeature</value>
+                    </list>
+                    <list key="Main-main">
+                        <value><![CDATA[
+        Config clientConfig = Config.create(ConfigSources.classpath("client-service-jwt.yaml"));
+        Config backendConfig = Config.create(ConfigSources.classpath("backend-service-jwt.yaml"));
+]]></value>
+                    </list>
+                    <list key="Main-after-server">
+                        <value><![CDATA[
+        server.context().register(server);
+]]></value>
+                    </list>
+                    <list key="Main-server-builder">
+                        <value><![CDATA[// backend that prints the current user
+                .putSocket("backend", socket -> socket
+                        .routing(routing -> routing
+                                .addFeature(SecurityHttpFeature.create(backendConfig.get("security.web-server")))
+                                .get("/hello", (req, res) -> {
+
+                                    // This is the token. It should be bearer <signed JWT base64 encoded>
+                                    req.headers().first(HeaderNames.AUTHORIZATION)
+                                            .ifPresent(System.out::println);
+
+                                    String username = req.context()
+                                            .get(SecurityContext.class)
+                                            .flatMap(SecurityContext::user)
+                                            .map(Subject::principal)
+                                            .map(Principal::getName)
+                                            .orElse("Anonymous");
+
+                                    res.send(username);
+                                })))
+]]></value>
+                    </list>
+                    <list key="Main-routing-builder">
+                        <value><![CDATA[.addFeature(SecurityHttpFeature.create(clientConfig.get("security.web-server")))
+                .register(new JwtOverrideService())
+]]></value>
+                    </list>
+                    <list key="Main-routing">
+                        <value><![CDATA[        Config clientConfig = Config.create(ConfigSources.classpath("client-service-jwt.yaml"));]]></value>
                     </list>
                     <list key="module-requires">
                         <value>io.helidon.webclient.security</value>
@@ -263,12 +347,6 @@ java -cp target/{{artifactId}}.jar {{package}}.GoogleMain
                         <value template="mustache"><![CDATA[
 ## Try JWT
 
-Run the application:
-```bash
-java -cp target/{{artifactId}}.jar {{package}}.OutboundOverrideJwt
-```
-
-Try the endpoints:
 ```bash
 curl -u "jack:password" http://localhost:8080/propagate
 curl -u "jack:password" http://localhost:8080/override
@@ -287,8 +365,6 @@ curl -u "jill:anotherPassword" http://localhost:8080/override
                     <includes>
                         <include>src/*/java/**/Service1.java.mustache</include>
                         <include>src/*/java/**/Service2.java.mustache</include>
-                        <include>src/*/java/**/SignatureMain.java.mustache</include>
-                        <include>src/*/java/**/SignatureMainTest.java.mustache</include>
                     </includes>
                 </templates>
                 <model>
@@ -306,6 +382,186 @@ curl -u "jill:anotherPassword" http://localhost:8080/override
                             <value key="artifactId">helidon-config-hocon</value>
                         </map>
                     </list>
+                    <list key="Main-java-imports">
+                        <value>java.util.Arrays</value>
+                        <value>java.util.Collection</value>
+                        <value>java.util.HashMap</value>
+                        <value>java.util.List</value>
+                        <value>java.util.Map</value>
+                        <value>java.util.Optional</value>
+                    </list>
+                    <list key="Main-helidon-imports">
+                        <value>io.helidon.common.configurable.Resource</value>
+                        <value>io.helidon.common.pki.Keys</value>
+                        <value>io.helidon.security.CompositeProviderFlag</value>
+                        <value>io.helidon.security.CompositeProviderSelectionPolicy</value>
+                        <value>io.helidon.security.Security</value>
+                        <value>io.helidon.security.providers.common.OutboundConfig</value>
+                        <value>io.helidon.security.providers.common.OutboundTarget</value>
+                        <value>io.helidon.security.providers.httpauth.HttpBasicAuthProvider</value>
+                        <value>io.helidon.security.providers.httpauth.SecureUserStore</value>
+                        <value>io.helidon.security.providers.httpsign.HttpSignProvider</value>
+                        <value>io.helidon.security.providers.httpsign.InboundClientDefinition</value>
+                        <value>io.helidon.security.providers.httpsign.OutboundTargetDefinition</value>
+                        <value>io.helidon.webserver.security.SecurityFeature</value>
+                        <value>io.helidon.webserver.security.SecurityHttpFeature</value>
+                    </list>
+                    <list key="main-class-fields">
+                        <value><![CDATA[
+    private static final Map<String, SecureUserStore.User> USERS = new HashMap<>();
+
+    static {
+        addUser("jack", "password", List.of("user", "admin"));
+        addUser("jill", "password", List.of("user"));
+        addUser("john", "password", List.of());
+    }
+
+    private static void addUser(String user, String password, List<String> roles) {
+        USERS.put(user, new SecureUserStore.User() {
+            @Override
+            public String login() {
+                return user;
+            }
+
+            char[] password() {
+                return password.toCharArray();
+            }
+
+            @Override
+            public boolean isPasswordValid(char[] password) {
+                return Arrays.equals(password(), password);
+            }
+
+            @Override
+            public Collection<String> roles() {
+                return roles;
+            }
+        });
+    }
+]]></value>
+                    </list>
+                    <list key="Main-routing">
+                        <value><![CDATA[
+        SecurityHttpFeature security = SecurityHttpFeature.create(security1())
+                .securityDefaults(SecurityFeature.authenticate());
+]]></value>
+                    </list>
+                    <list key="Main-routing-builder">
+                        <value><![CDATA[.addFeature(security)
+                .get("/service1*", SecurityFeature.rolesAllowed("user"))
+                .register(new Service1())
+]]></value>
+                    </list>
+                    <list key="main-class-content">
+                        <value><![CDATA[
+private static void routing2(HttpRouting.Builder routing) {
+        SecurityHttpFeature security = SecurityHttpFeature.create(security2())
+                .securityDefaults(SecurityFeature.authenticate());
+
+        routing.addFeature(security)
+                .get("/service2*", SecurityFeature.rolesAllowed("user"))
+                .register(new Service2());
+    }
+
+    private static Security security2() {
+        return Security.builder()
+                .providerSelectionPolicy(CompositeProviderSelectionPolicy
+                        .builder()
+                        .addAuthenticationProvider("http-signatures", CompositeProviderFlag.OPTIONAL)
+                        .addAuthenticationProvider("basic-auth")
+                        .build())
+                .addProvider(HttpBasicAuthProvider
+                                .builder()
+                                .realm("mic")
+                                .userStore(users()),
+                        "basic-auth")
+                .addProvider(HttpSignProvider.builder()
+                                .addInbound(InboundClientDefinition
+                                        .builder("service1-hmac")
+                                        .principalName("Service1 - HMAC signature")
+                                        .hmacSecret("somePasswordForHmacShouldBeEncrypted")
+                                        .build())
+                                .addInbound(InboundClientDefinition
+                                        .builder("service1-rsa")
+                                        .principalName("Service1 - RSA signature")
+                                        .publicKeyConfig(Keys.builder()
+                                                .keystore(k -> k
+                                                        .keystore(Resource.create("keystore.p12"))
+                                                        .passphrase("password")
+                                                        .certAlias("service_cert")
+                                                        .build())
+                                                .build())
+                                        .build()),
+                        "http-signatures")
+                .build();
+    }
+
+    private static Security security1() {
+        return Security.builder()
+                .providerSelectionPolicy(CompositeProviderSelectionPolicy
+                        .builder()
+                        .addOutboundProvider("basic-auth")
+                        .addOutboundProvider("http-signatures")
+                        .build())
+                .addProvider(HttpBasicAuthProvider
+                                .builder()
+                                .realm("mic")
+                                .userStore(users())
+                                .addOutboundTarget(OutboundTarget.builder("propagate-all").build()),
+                        "basic-auth")
+                .addProvider(HttpSignProvider
+                                .builder()
+                                .outbound(OutboundConfig
+                                        .builder()
+                                        .addTarget(hmacTarget())
+                                        .addTarget(rsaTarget())
+                                        .build()),
+                        "http-signatures")
+                .build();
+    }
+
+    private static OutboundTarget rsaTarget() {
+        return OutboundTarget.builder("service2-rsa")
+                .addHost("localhost")
+                .addPath("/service2-rsa.*")
+                .customObject(OutboundTargetDefinition.class,
+                        OutboundTargetDefinition.builder("service1-rsa")
+                                .privateKeyConfig(Keys.builder()
+                                        .keystore(k -> k
+                                                .keystore(Resource.create("keystore.p12"))
+                                                .passphrase("password")
+                                                .keyAlias("myPrivateKey")
+                                                .build())
+                                        .build())
+                                .build())
+                .build();
+    }
+
+    private static OutboundTarget hmacTarget() {
+        return OutboundTarget.builder("service2")
+                .addHost("localhost")
+                .addPath("/service2")
+                .customObject(
+                        OutboundTargetDefinition.class,
+                        OutboundTargetDefinition
+                                .builder("service1-hmac")
+                                .hmacSecret("somePasswordForHmacShouldBeEncrypted")
+                                .build())
+                .build();
+    }
+
+    private static SecureUserStore users() {
+        return login -> Optional.ofNullable(USERS.get(login));
+    }
+]]></value>
+                    </list>
+                    <list key="Main-server-builder">
+                        <value><![CDATA[.putSocket("service2", socket -> socket
+                        .routing(Main::routing2))]]></value>
+                    </list>
+                    <list key="Main-after-server">
+                        <value><![CDATA[server.context().register(server);]]></value>
+                    </list>
                     <list key="module-requires">
                         <value>io.helidon.webclient.http1</value>
                         <value>io.helidon.common.pki</value>
@@ -318,12 +574,6 @@ curl -u "jill:anotherPassword" http://localhost:8080/override
                         <value template="mustache"><![CDATA[
 ## Try Signature
 
-```bash
-mvn package
-java -cp target/{{artifactId}}.jar {{package}}.SignatureMain
-```
-
-Try the endpoints:
 ```bash
 curl -u "jack:password" http://localhost:8080/service1
 curl -u "jill:password" http://localhost:8080/service1-rsa
@@ -347,15 +597,22 @@ curl -v -u "john:password" http://localhost:8080/service1
                             <value key="artifactId">helidon-security-abac-role</value>
                         </map>
                     </list>
+                    <list key="providers-config-entries">
+                        <value><![CDATA[
+  - abac:
+      fail-on-unvalidated: true
+      fail-if-none-validated: true
+]]></value>
+                    </list>
                 </model>
             </output>
         </method>
     </methods>
+    <call method="security-abac"/>
     <call method="security-oidc"/>
     <call method="security-google"/>
     <call method="security-jwt"/>
     <call method="security-signature"/>
-    <call method="security-abac"/>
     <output>
         <model>
             <list key="dependencies">
@@ -374,7 +631,8 @@ security:
                 <value>io.helidon.security.integration.common</value>
                 <value>io.helidon.webserver.security</value>
             </list>
-            <list key="application-yaml-entries" if="!(${security.atn} == [ 'http-signature' ])">
+            <list key="application-yaml-entries"
+                  if="!(${security.atn} contains 'http-signature' || ${security.atn} contains 'jwt')">
                 <value template="mustache"><![CDATA[
 {{#security}}