Fixed: remove generateSecretKeys dependency from test to improve build caching

The `test` task depends on `generateSecretKeys`, which writes new random
values to `framework/security/config/security.properties` on every
build. Since this file is part of the main resource source set
(`config/` dirs are included via
`getDirectoryInActiveComponentsIfExists('config')`), changing it causes
cascading Gradle build cache misses for:

- `:compileTestGroovy` — classpath includes main resources
- `:checkstyleMain` — classpath includes `sourceSets.main.output`
- `:checkstyleTest` — same reason
- `:test` — classpath + test classes differ

This commit:

1. Removes `dependsOn 'generateSecretKeys'` from the `test` task —
the main `security.properties` is no longer mutated during `build`
2. Adds a test-specific `security.properties` in
`framework/security/src/test/resources/` with fixed keys — this shadows
the main config on the test classpath so unit tests that require JWT
keys (e.g. `ModelFormTest`) continue to work

The `generateSecretKeys` task is unchanged and remains available for
manual use (`./gradlew generateSecretKeys`) and as a dependency of
`loadAll`.

(cherry picked from commit 73d0d37)
(cherry picked from commit 4b59bc7)

Author: ribafish

build.gradle

@@ -309,12 +309,10 @@ eclipse.classpath.file.whenMerged { classpath ->
 tasks.eclipse.dependsOn(cleanEclipse)
 
 test {
-    dependsOn 'generateSecretKeys'
     useJUnit()
     jvmArgs "-javaagent:${classpath.find { it.name.contains('jmockit') }.absolutePath}"
 }
 
-processResources.mustRunAfter 'generateSecretKeys'
 
 /* ========================================================
  * Tasks

framework/security/src/test/resources/security.properties

@@ -0,0 +1,53 @@
+##############################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+###############################################################################
+
+##############################################################################
+# Test override of security.properties with non production values.
+# This file shadows framework/security/config/security.properties on the
+# test classpath so that unit tests requiring security settings such as
+# JWT keys can run without the need to generate keys or modify the main
+# security.properties file.
+##############################################################################
+
+# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
+#    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
+#    The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724
+#    Run './gradlew generateSecretKeys' to generate a cryptographically secure random key.
+login.secret_key_string=ZdxxqjX87e6CR9Rf5pAzA+GTX4DP2T0H3bimGaDGA59OytU/tVQ7AC7N9PUA9e17
+
+# -- The secret key for the JWT token signature.
+#    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
+#    The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724
+#    Run './gradlew generateSecretKeys' to generate a cryptographically secure random key.
+security.token.key=TzWl/rNavz7VYMc6sxDpf8Yon6NnkbUfrL4JrscJBdTEx3vtwQQ7Mt0wk/TtZXUn
+
+#-- To accept the execution on some groovy script who match the deniedScriptletsTokens regExp, put their hash here.
+#-- like allowedScriptletHashes={SHA}59f8ab616b3878ddf825ea50c13ce603a3a6c5a9,{SHA}59f5ab516b3878ddf825ea50c13ce603a3a6c5a9
+allowedScriptletHashes= {SHA}4e025676cfa6df142e3457099271ecdcd1c1f5f9,{SHA}d8451d7509ae73421974f47752b6e9eef7503041,{SHA}edf12cf95597d52eacc14020a85a8df2abb34ab7
+
+#-- RegExp to secure groovy script execution. If the regExp match a script, it would be disabled and OFBiz run nothing.
+#-- In this case, you will have on log the original script with it hash. The hash can be added on allowedScriptletHashes
+#-- properties to accept it on the next execution.
+deniedScriptletsTokens=java\\s*\.|import\\s|embed[^\\w]|process[^\\w]|class[^\\w]|require[^\\w]\
+|\.\\s*.exec.*[\(|\\s]|\.\\s*calc.*[\(|\\s]|\.\\s*.eval.*[\(|\\s]|Eval\\s*\.|\\s+File\
+|System\\s*\.|\.\\s*codehaus|\.\\s*groovy[^:]|\.\\s*runtime\|groovyx\\s*\.
+
+#-- If you want to deactivate the security control on each groovy script set to false.
+# Warn ensure to be sure on what you do because this can open the door for code injection
+useDeniedScriptletsTokens=true