quarkusio · gsmet · May 10, 2024 · May 3, 2024
diff --git a/docs/src/main/asciidoc/rest.adoc b/docs/src/main/asciidoc/rest.adoc
@@ -1458,8 +1458,12 @@
 ----
 package org.acme.rest;
 
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
+
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.Response;
 
 @Path("person")
 public class Person {
@@ -1469,8 +1473,25 @@
     public Person getPerson(Long id) {
         return new Person(id, "foo", "bar", "Brick Lane");
     }
+
+    @Produces(APPLICATION_JSON) <1>
+    @Path("/friend/{id}")
+    @GET
+    public Response getPersonFriend(Long id) {
+        var person = new Person(id, "foo", "bar", "Brick Lane");
+        return Response.ok(person).build();
+    }
 }
 ----
+<1> The `@SecureField` annotation is only effective when Quarkus recognizes that produced content type is the 'application/json' type.
+
+WARNING: Currently you cannot use the `@SecureField` annotation to secure your data returned from resource methods returning the `io.smallrye.mutiny.Multi` reactive type.
+
+[IMPORTANT]
+====
+All resource methods returning data secured with the `@SecureField` annotation should be tested.
+Please make sure data are secured as you intended.
+====
 
 Assuming security has been set up for the application (see our xref:security-overview.adoc[guide] for more details), when a user with the `admin` role
 performs an HTTP GET on `/person/1` they will receive:

diff --git a/...rkus/resteasy/reactive/jackson/deployment/processor/ResteasyReactiveJacksonProcessor.java b/...rkus/resteasy/reactive/jackson/deployment/processor/ResteasyReactiveJacksonProcessor.java
@@ -1,5 +1,6 @@
 package io.quarkus.resteasy.reactive.jackson.deployment.processor;
 
+import static io.quarkus.resteasy.reactive.common.deployment.QuarkusResteasyReactiveDotNames.JSON_IGNORE;
 import static io.quarkus.security.spi.RolesAllowedConfigExpResolverBuildItem.isSecurityConfigExpressionCandidate;
 import static org.jboss.resteasy.reactive.common.util.RestMediaType.APPLICATION_NDJSON;
 import static org.jboss.resteasy.reactive.common.util.RestMediaType.APPLICATION_STREAM_JSON;
@@ -15,6 +16,7 @@
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.BiConsumer;
+import java.util.function.Predicate;
 import java.util.function.Supplier;
 
 import jakarta.inject.Singleton;
@@ -59,6 +61,7 @@
 import io.quarkus.deployment.builditem.ShutdownContextBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.resteasy.reactive.common.deployment.JaxRsResourceIndexBuildItem;
+import io.quarkus.resteasy.reactive.common.deployment.QuarkusResteasyReactiveDotNames;
 import io.quarkus.resteasy.reactive.common.deployment.ResourceScanningResultBuildItem;
 import io.quarkus.resteasy.reactive.common.deployment.ServerDefaultProducesHandlerBuildItem;
 import io.quarkus.resteasy.reactive.jackson.CustomDeserialization;
@@ -372,7 +375,12 @@ public void handleFieldSecurity(ResteasyReactiveResourceMethodEntriesBuildItem r
             JaxRsResourceIndexBuildItem index,
             BuildProducer<ResourceMethodCustomSerializationBuildItem> producer) {
         IndexView indexView = index.getIndexView();
-        Map<String, Boolean> typeToHasSecureField = new HashMap<>();
+        boolean noSecureFieldDetected = indexView.getAnnotations(SECURE_FIELD).isEmpty();
+        if (noSecureFieldDetected) {
+            return;
+        }
+
+        Map<String, Boolean> typeToHasSecureField = new HashMap<>(getTypesWithSecureField());
         List<ResourceMethodCustomSerializationBuildItem> result = new ArrayList<>();
         for (ResteasyReactiveResourceMethodEntriesBuildItem.Entry entry : resourceMethodEntries.getEntries()) {
             MethodInfo methodInfo = entry.getMethodInfo();
@@ -425,7 +433,7 @@ public void handleFieldSecurity(ResteasyReactiveResourceMethodEntriesBuildItem r
             }
 
             ClassInfo effectiveReturnClassInfo = indexView.getClassByName(effectiveReturnType.name());
-            if ((effectiveReturnClassInfo == null) || effectiveReturnClassInfo.name().equals(ResteasyReactiveDotNames.OBJECT)) {
+            if (effectiveReturnClassInfo == null) {
                 continue;
             }
             AtomicBoolean needToDeleteCache = new AtomicBoolean(false);
@@ -443,6 +451,7 @@ public void handleFieldSecurity(ResteasyReactiveResourceMethodEntriesBuildItem r
             }
             if (needToDeleteCache.get()) {
                 typeToHasSecureField.clear();
+                typeToHasSecureField.putAll(getTypesWithSecureField());
             }
         }
         if (!result.isEmpty()) {
@@ -452,6 +461,13 @@ public void handleFieldSecurity(ResteasyReactiveResourceMethodEntriesBuildItem r
         }
     }
 
+    private static Map<String, Boolean> getTypesWithSecureField() {
+        // if any of following types is detected as an endpoint return type or a field of endpoint return type,
+        // we always need to apply security serialization as any type can be represented with them
+        return Map.of(ResteasyReactiveDotNames.OBJECT.toString(), Boolean.TRUE, ResteasyReactiveDotNames.RESPONSE.toString(),
+                Boolean.TRUE);
+    }
+
     private static boolean hasSecureFields(IndexView indexView, ClassInfo currentClassInfo,
             Map<String, Boolean> typeToHasSecureField, AtomicBoolean needToDeleteCache) {
         // use cached result if there is any
@@ -479,10 +495,20 @@ private static boolean hasSecureFields(IndexView indexView, ClassInfo currentCla
                     .anyMatch(ci -> hasSecureFields(indexView, ci, typeToHasSecureField, needToDeleteCache));
         } else {
             // figure if any field or parent / subclass field is secured
-            hasSecureFields = hasSecureFields(currentClassInfo)
-                    || anyFieldHasSecureFields(indexView, currentClassInfo, typeToHasSecureField, needToDeleteCache)
-                    || anySubclassHasSecureFields(indexView, currentClassInfo, typeToHasSecureField, needToDeleteCache)
-                    || anyParentClassHasSecureFields(indexView, currentClassInfo, typeToHasSecureField, needToDeleteCache);
+            if (hasSecureFields(currentClassInfo)) {
+                hasSecureFields = true;
+            } else {
+                Predicate<DotName> ignoredTypesPredicate = QuarkusResteasyReactiveDotNames.IGNORE_TYPE_FOR_REFLECTION_PREDICATE;
+                if (ignoredTypesPredicate.test(currentClassInfo.name())) {
+                    hasSecureFields = false;
+                } else {
+                    hasSecureFields = anyFieldHasSecureFields(indexView, currentClassInfo, typeToHasSecureField,
+                            needToDeleteCache)
+                            || anySubclassHasSecureFields(indexView, currentClassInfo, typeToHasSecureField, needToDeleteCache)
+                            || anyParentClassHasSecureFields(indexView, currentClassInfo, typeToHasSecureField,
+                                    needToDeleteCache);
+                }
+            }
         }
         typeToHasSecureField.put(className, hasSecureFields);
         return hasSecureFields;
@@ -513,6 +539,7 @@ private static boolean anyFieldHasSecureFields(IndexView indexView, ClassInfo cu
         return currentClassInfo
                 .fields()
                 .stream()
+                .filter(fieldInfo -> !fieldInfo.hasAnnotation(JSON_IGNORE))
                 .map(FieldInfo::type)
                 .anyMatch(fieldType -> fieldTypeHasSecureFields(fieldType, indexView, typeToHasSecureField, needToDeleteCache));
     }

diff --git a/...src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/MultipartResource.java b/...src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/MultipartResource.java
@@ -17,11 +17,13 @@
 import org.jboss.resteasy.reactive.RestForm;
 import org.jboss.resteasy.reactive.multipart.FileUpload;
 
+import io.quarkus.resteasy.reactive.jackson.DisableSecureSerialization;
 import io.smallrye.common.annotation.Blocking;
 
 @Path("/multipart")
 public class MultipartResource {
 
+    @DisableSecureSerialization // Person has @SecureField but we want to inspect all data
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.MULTIPART_FORM_DATA)
@@ -45,6 +47,7 @@ public Map<String, Object> greeting(@Valid @BeanParam FormData formData) {
         return result;
     }
 
+    @DisableSecureSerialization // Person has @SecureField but we want to inspect all data
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.MULTIPART_FORM_DATA)

diff --git a/...ment/src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/ResponseType.java b/...ment/src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/ResponseType.java
@@ -0,0 +1,57 @@
+package io.quarkus.resteasy.reactive.jackson.deployment.test;
+
+import jakarta.ws.rs.core.Response;
+
+import org.jboss.resteasy.reactive.RestResponse;
+
+import io.quarkus.resteasy.reactive.jackson.SecureField;
+import io.smallrye.mutiny.Multi;
+import io.smallrye.mutiny.Uni;
+
+public enum ResponseType {
+    /**
+     * Returns DTOs directly.
+     */
+    PLAIN(true, "plain"),
+    /**
+     * Returns {@link Multi} with DTOs.
+     */
+    // TODO: enable when https://github.com/quarkusio/quarkus/issues/40447 gets fixed
+    //MULTI(true, "multi"),
+    /**
+     * Returns {@link Uni} with DTOs.
+     */
+    UNI(true, "uni"),
+    /**
+     * Returns {@link Object} that is either DTO with a {@link SecureField} or not.
+     */
+    OBJECT(false, "object"), // we must always assume it can contain SecureField
+    /**
+     * Returns {@link Response} that is either DTO with a {@link SecureField} or not.
+     */
+    RESPONSE(false, "response"), // we must always assume it can contain SecureField
+    /**
+     * Returns {@link RestResponse} with DTOs.
+     */
+    REST_RESPONSE(true, "rest-response"),
+    /**
+     * Returns {@link RestResponse} with DTOs.
+     */
+    COLLECTION(true, "collection");
+
+    private final boolean secureFieldDetectable;
+    private final String resourceSubPath;
+
+    ResponseType(boolean secureFieldDetectable, String resourceSubPath) {
+        this.secureFieldDetectable = secureFieldDetectable;
+        this.resourceSubPath = resourceSubPath;
+    }
+
+    boolean isSecureFieldDetectable() {
+        return secureFieldDetectable;
+    }
+
+    String getResourceSubPath() {
+        return resourceSubPath;
+    }
+}