Perform security checks on inherited endpoints before payload deserialization in the RESTEasy Reactive

[michalvavrik]

fixes: #38754

Standard security annotations on endpoints come from a class that declares the endpoint (has @GET, ...). Sure, the standard security annotations can be placed on any CDI bean and checked by the CDI interceptors, but as far as eager endpoint security checks are concerned, we must follow what is actual endpoint. Essence of the change is for MethodDescription in the ServerRestHandler to match gathered MethodDescription in the SecurityProcessor and addted to the SecurityCheckStorage:

quarkus/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java

Line 599 in b79b11f

private Map<MethodInfo, SecurityCheck> gatherSecurityAnnotations(IndexView index,

This issue is there from the beginning of the EagerSecurityHandler I guess, but as when the security check is not performed eagerly, it is always backed by CDI interceptors so we didn't mention. However now that default JAX-RS security checks are hardened due to the CVE fix, we need proper endpoint matching and it's desirable to perform it sooner anyway (authZ before deserialization + non-blocking security checks).

[michalvavrik]

I've rebased on the current main and removed backport label as this can't be backported without conflicts. Will prepare separate backport commits based on what gets into main.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 29eb451.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

---

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17

📦 integration-tests/opentelemetry

✖ io.quarkus.it.opentelemetry.EndUserEnabledTest.baseTest - History

• AttributesMap{data={net.host.name=localhost, user_agent.original=Apache-HttpClient/4.5.14 (Java/17.0.10), http.target=/otel/enduser, code.function=dummy, http.client_ip=127.0.0.1, code.namespace=io.quarkus.it.opentelemetry.util.EndUserResource, http.route=/otel/enduser, http.response_content_length=0, net.host.port=8081, net.protocol.name=http, http.method=GET, http.status_code=200, http.scheme=http}, capacity=128, totalAddedValues=13} ==> expected: <testUser> but was: <null> - org.opentest4j.AssertionFailedError

org.opentest4j.AssertionFailedError: AttributesMap{data={net.host.name=localhost, user_agent.original=Apache-HttpClient/4.5.14 (Java/17.0.10), http.target=/otel/enduser, code.function=dummy, http.client_ip=127.0.0.1, code.namespace=io.quarkus.it.opentelemetry.util.EndUserResource, http.route=/otel/enduser, http.response_content_length=0, net.host.port=8081, net.protocol.name=http, http.method=GET, http.status_code=200, http.scheme=http}, capacity=128, totalAddedValues=13} ==> expected: <testUser> but was: <null>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
	at org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1156)
	at io.quarkus.it.opentelemetry.EndUserEnabledTest.evaluateAttributes...

---

⚙️ JVM Tests - JDK 21

📦 extensions/smallrye-reactive-messaging-kafka/deployment

✖ io.quarkus.smallrye.reactivemessaging.kafka.deployment.dev.KafkaDevServicesDevModeTestCase.sseStream - History

• Assertion condition Expecting size of: [] to be greater than or equal to 2 but was 0 within 10 seconds. - org.awaitility.core.ConditionTimeoutException

org.awaitility.core.ConditionTimeoutException: 
Assertion condition 
Expecting size of:
  []
to be greater than or equal to 2 but was 0 within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)