quarkus: Quarkus 0.27 - JWT role validation does not work

Hi,

I have just migrated my small project from Quarkus 0.25 to 0.27 and I ran into an issue.

Let’s image we have the SmallRye JWT extension configured and the following class:

@Path("/hello")
@RequestScoped
open class GreetingResource {

    @GET
    @Path("/protected")
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed(value = ["Echoer", "Subscriber"])
    fun helloProtected(@Context ctx: SecurityContext): String {
        val callerName = ctx.userPrincipal?.name ?: "unknown"
        return "hello $callerName"
    }
}

Corresponding test:

    @Test
    fun testHelloEndpoint_protectedAsUnknown() {
        given()
                .`when`().get("/hello/protected")
                .then()
                .statusCode(401)
    }

Everything works fine with 0.25. Unfortunately on Quarkus 0.27 my test fails because a request ends with HTTP 200 (helloProtected method gets called).

I started looking into the problem and I found that in Quarkus 0.27:

• RolesFilterRegistrar#configure is not called and does not register RolesAllowedFilter
• ResteasyDeploymentImpl contains a list (providerClasses) that in previous version contains io.quarkus.resteasy.runtime.RolesFilterRegistrar but in 0.27 this class is not there

in Quarkus 0.25 RolesFilterRegistrar and RolesAllowedFilter are in quarkus-resteasy module, but 0.27 does not contain them.

It looks that due to the fact that io.quarkus.resteasy.runtime.RolesFilterRegistrar is not registered (present on the providerClasses list) JWT RBAC does not work. If there is a new way how RolesAllowedFilter is configured then maybe it is not enabled by default. RolesAllowedFilter class is also present in smallrye-jwt-2.0.9.jar).