If annotation based security is used to secure a REST resource, the JSON body the resource may consume is being processed (deserialized) prior to the security constraints being evaluated/applied. This does not happen with configuration based security. Then security constraints are being evaluated/applied before a JSON body is being processed.
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9.SP1 Via RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0494
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.9.SP1 Via RHSA-2024:0495 https://access.redhat.com/errata/RHSA-2024:0495
It would be helpful if you could state in your documentation that this "3.2.9.SP1" version actually corresponds to 3.2.9.Final-redhat-00004 in the Maven repository. It was a guessing game. The https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/quarkus-3.2/guide/1fb66449-7cb8-4328-8bb6-f11921699056 guide was updated on January 25th (the same day as this entry) mentioning that version.
Also, the 'lastUpdated' timestamp in https://maven.repository.redhat.com/ga/com/redhat/quarkus/platform/quarkus-bom/maven-metadata.xml confirmed this. It's January 25th as well.
This comment was flagged a spam, view the edit history to see the original text if required.