Merge pull request #5813 from geoand/#5763

Fix security issue related to the inclusion of annotations on secured method parameters

extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java

@@ -199,7 +199,7 @@ private ResultHandle paramTypes(MethodCreator ctor, List<Type> parameters) {
         ResultHandle result = ctor.newArray(String.class, ctor.load(parameters.size()));
 
         for (int i = 0; i < parameters.size(); i++) {
-            ctor.writeArrayValue(result, i, ctor.load(parameters.get(i).toString()));
+            ctor.writeArrayValue(result, i, ctor.load(parameters.get(i).name().toString()));
         }
 
         return result;

integration-tests/main/src/main/java/io/quarkus/it/rest/RBACSecuredResource.java

@@ -4,8 +4,12 @@
 import javax.annotation.security.PermitAll;
 import javax.annotation.security.RolesAllowed;
 import javax.inject.Inject;
+import javax.validation.Valid;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.core.UriInfo;
 
 import io.quarkus.security.Authenticated;
 
@@ -25,6 +29,14 @@ public String forTesterOnly() {
         return "forTesterOnly";
     }
 
+    @GET
+    @RolesAllowed("tester")
+    @Path("forTesterOnlyWithMethodParamAnnotations")
+    public String forTesterOnlyWithMethodParamAnnotations(@Context SecurityContext ctx, @Context UriInfo uriInfo,
+            @Valid String message) {
+        return "forTesterOnlyWithMethodParamAnnotations";
+    }
+
     @GET
     @DenyAll
     @Path("denied")

integration-tests/main/src/test/java/io/quarkus/it/main/RBACAccessTest.java

@@ -25,6 +25,15 @@ public void shouldRestrictAccessToSpecificRole() {
                 Optional.of("forTesterOnly"));
     }
 
+    @Test
+    public void shouldRestrictAccessToSpecificRoleAndMethodParameterAnnotationsShouldntAffectAnything() {
+        String path = "/rbac-secured/forTesterOnlyWithMethodParamAnnotations";
+        assertForAnonymous(path, 401, Optional.empty());
+        assertStatusAndContent(RestAssured.given().auth().preemptive().basic("stuart", "test"), path, 403, Optional.empty());
+        assertStatusAndContent(RestAssured.given().auth().preemptive().basic("scott", "jb0ss"), path, 200,
+                Optional.of("forTesterOnlyWithMethodParamAnnotations"));
+    }
+
     @Test
     public void shouldFailToAccessForbidden() {
         assertForAnonymous("/rbac-secured/denied", 401, Optional.empty());