Add PVA Security Widget showing runtime TLS and authentication details

[george-mcintyre]

Overview

Adds a new PVA Security widget to the Display Builder. When placed on a display and configured with a PV name, the widget shows live TLS and authentication metadata for that PV's underlying PVA connection:

• TLS active — whether the connection is secured with TLS
• Authentication method — e.g. x509, ca, or anonymous
• Server identity — X.509 subject name of the server certificate
• Client identity — X.509 subject name presented by the client

The widget forces the pva:// protocol prefix on the configured PV name at runtime so it always interrogates the actual PVA connection, regardless of the default protocol configured in the environment.

Implementation

Three new classes following the standard Display Builder widget pattern:

Class	Module	Purpose
PVASecurityWidget	app/display/model	Widget model: properties, XML persistence
PVASecurityRepresentation	app/display/representation-javafx	JavaFX rendering
PVASecurityRuntime	app/display/runtime	PV connection logic, forces pva:// prefix

Registered via the existing SPI BaseWidgetsService, BaseWidgetRepresentations, and BaseWidgetRuntimes.

Depends on the TLS accessor API added in the companion PR "Expose TLS connection details through PV → Channel → TCPHandler chain".

Files Changed

• app/display/model/src/main/java/org/csstudio/display/builder/model/BaseWidgetsService.java
• app/display/model/src/main/java/org/csstudio/display/builder/model/widgets/PVASecurityWidget.java (new)
• app/display/representation-javafx/src/main/java/org/csstudio/display/builder/representation/javafx/widgets/BaseWidgetRepresentations.java
• app/display/representation-javafx/src/main/java/org/csstudio/display/builder/representation/javafx/widgets/PVASecurityRepresentation.java (new)
• app/display/runtime/src/main/java/org/csstudio/display/builder/runtime/internal/BaseWidgetRuntimes.java
• app/display/runtime/src/main/java/org/csstudio/display/builder/runtime/internal/PVASecurityRuntime.java (new)
• app/display/runtime/pom.xml

[sonarqubecloud]

Quality Gate passed

Issues
28 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[kasemir]

This is problematic because it makes the generic display depend on pv-pva and core-pva.
The display was designed to only depend on the abstracted core-pv. It can be used with any combination of simulated, local, CA, PVA, MQTT, Tango, ... PVs.
We do not check pv instanceof PV_CA and likewise should not add a check pv instanceof PV_PVA that makes it depend on any specific PV type.

This does mean that we knowingly drop the option of showing PV-specific details like a CA server IP. We leave that to cainfo on the command line, outside of the generic CS-Studio tools.

To still allow access to the PVA connection detail in displays, there are some other options:

• Move the PVA security widget to an outside module. For example, a new app/display/pva

• Instead of creating a new widget, add formula functions like pvaTLSstate(`SomePVName`), pvaServerIdentity(`SomePVName`) which can then be used with existing TextUpdate or LED or .. widgets. Since those formulas would again depend on pv-pva, they need to be in a separate module, not core-formula