openapi: address Gemini review findings on bearerAuth switch

- Assert basicAuth is absent (not just that bearerAuth is present) in
  the performance test, so removal of the old key is explicitly verified
- Strengthen testMultiSecuritySchemeScenario: verify bearerAuth scheme
  type/scheme values, assert basicAuth is gone, and verify the API-level
  security requirement actually references bearerAuth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: robertlazarski

modules/openapi/src/test/java/org/apache/axis2/openapi/AdvancedGuideIntegrationTest.java

@@ -273,19 +273,21 @@ public void testMultiSecuritySchemeScenario() throws Exception {
         boolean hasOAuth2 = securitySchemes.containsKey("oauth2");
 
         assertTrue("Should have bearer token authentication by default", hasBearerAuth);
-
-        // Test that operations can use different security schemes
-        Map<String, PathItem> paths = openApi.getPaths();
-        for (PathItem pathItem : paths.values()) {
-            for (Operation operation : pathItem.readOperationsMap().values()) {
-                if (operation.getSecurity() != null && !operation.getSecurity().isEmpty()) {
-                    // Verify security requirements are properly structured
-                    for (SecurityRequirement secReq : operation.getSecurity()) {
-                        assertFalse("Security requirements should not be empty", secReq.isEmpty());
-                    }
-                }
-            }
-        }
+        assertFalse("basicAuth must not appear in the default spec", securitySchemes.containsKey("basicAuth"));
+
+        // Verify the bearerAuth scheme is correctly typed
+        SecurityScheme bearer = securitySchemes.get("bearerAuth");
+        assertEquals("bearerAuth type must be HTTP", SecurityScheme.Type.HTTP, bearer.getType());
+        assertEquals("bearerAuth scheme must be bearer", "bearer", bearer.getScheme());
+
+        // Verify the API-level security requirement references bearerAuth
+        List<SecurityRequirement> apiSecurity = openApi.getSecurity();
+        assertNotNull("API-level security requirements should be set", apiSecurity);
+        assertFalse("API-level security requirements should not be empty", apiSecurity.isEmpty());
+        boolean apiReferencesBearerAuth = apiSecurity.stream()
+                .anyMatch(req -> req.containsKey("bearerAuth"));
+        assertTrue("At least one API-level security requirement must reference bearerAuth",
+                apiReferencesBearerAuth);
     }
 
     // ========== Advanced SwaggerUI Customization Tests ==========

modules/openapi/src/test/java/org/apache/axis2/openapi/OpenApiConfigurationTest.java

@@ -456,8 +456,10 @@ public void testLargeConfigurationPerformance() {
         assertEquals(10000, config.getResourcePackages().size());
         assertEquals(10000, config.getResourceClasses().size());
         assertEquals(10000, config.getIgnoredRoutes().size());
-        // +1 for default bearerAuth scheme
+        // +1 for default bearerAuth scheme; basicAuth must not be present
         assertEquals(10001, config.getSecurityDefinitions().size());
+        assertFalse("basicAuth must not be present after switch to bearerAuth",
+                config.getSecurityDefinitions().containsKey("basicAuth"));
     }
 
     @Test