When a RestEasy Reactive JAX-RS endpoint has its methods with HTTP method annotations declared in the abstract Java class or when its methods without HTTP method annotations are customised by Quarkus extensions to handle JAX-RS GET requests using the annotation processor, then the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties So a combination of 2 factors triggers it: * Users enable the security authorization of JAX-RS endpoints with either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or `quarkus.security.jaxrs.default-roles-allowed` properties * Users declare JAX-RS methods which must be secured with these properties in the Java abstract class which the JAX-RS endpoint class will extend
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9.SP1 Via RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0494
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.9.SP1 Via RHSA-2024:0495 https://access.redhat.com/errata/RHSA-2024:0495