NPE during custom bean invocation via PreAuthorize annotation in Quarkus RESTEasy

[deidzen]

Describe the bug

According to documentation (https://quarkus.io/guides/spring-security#preauthorize), Quarkus supports custom bean invocation via PreAuthorize annotation before method executing

But starting from 3.6.8 version (I personally checked 3.6.8, 3.9.5 and current 3.16.3), this functionality in Quarkus RESTEasy is not working, it throws NullPointerException.

I see that EagerSecurityFilter class mentioned in error stacktrace was changed in 3.6.8 version (6d76eaf#diff-fbf38214479c02a3e1bae50b5b595d13c12c28e64d34246398151ef3b521e5db). Maybe that caused the issue.

Expected behavior

Custom bean is invoked through @PreAuthorize annotation succesfully

Actual behavior

NPE is thrown during custom bean invocation

java.lang.NullPointerException: Cannot load from object array because "<parameter2>" is null
	at io.quarkus.spring.security.check.PersonChecker_2d2da3d8eb389fe1c70f7b93d91d35c2a8f20142_CheckFor_check.check(Unknown Source)
	at io.quarkus.spring.security.runtime.interceptor.check.AbstractBeanMethodSecurityCheck.doApply(AbstractBeanMethodSecurityCheck.java:30)
	at io.quarkus.spring.security.runtime.interceptor.check.AbstractBeanMethodSecurityCheck.apply(AbstractBeanMethodSecurityCheck.java:26)
	at io.quarkus.resteasy.runtime.EagerSecurityFilter.applySecurityChecks(EagerSecurityFilter.java:127)
	at io.quarkus.resteasy.runtime.EagerSecurityFilter.filter(EagerSecurityFilter.java:78)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:276)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:415)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:378)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:356)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:70)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:429)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invokePropagateNotFound$6(SynchronousDispatcher.java:275)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:154)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:157)
	at org.jboss.resteasy.core.SynchronousDispatcher.invokePropagateNotFound(SynchronousDispatcher.java:260)
	at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:86)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler$1.run(VertxRequestHandler.java:97)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:627)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:842)
Resulted in: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot load from object array because "<parameter2>" is null
	at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:357)
	at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:205)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:452)
	... 17 more

How to Reproduce?

Reproducer: https://github.com/deidzen/quarkus-preauthorized-test

Steps to reproduce:

1. Pull the reproducer.
2. Run mvn clean test . 2 tests will fail with 500 error
   java.lang.NullPointerException: Cannot load from object array because "<parameter2>" is null

For compare you can switch to 3.6.7 Quarkus version (quarkus-3.6.7-resteasy branch) and try once again - tests will pass

Output of uname -a or ver

Microsoft Windows [Version 10.0.26100.2033]

Output of java -version

17.0.10, vendor: Oracle OpenJDK

Quarkus version or git rev

3.6.8+ (I personally checked 3.6.8, 3.9.5 and current 3.16.3)

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)

Additional information

No response

[sberyozkin]

@deidzen While this issue is being addressed, you may want to to have a look at @PermissionChecker in Quarkus 3.17.0.CR1:

https://quarkus.io/version/main/guides/security-authorize-web-endpoints-reference#permission-checker

We believe it offers a simpler alternative to @PreAuthorize

[michalvavrik]

I see that EagerSecurityFilter class mentioned in error stacktrace was changed in 3.6.8 version (6d76eaf#diff-fbf38214479c02a3e1bae50b5b595d13c12c28e64d34246398151ef3b521e5db). Maybe that caused the issue.

We keep changing it, that is nothing out of ordinary. I will put this issue on my (extended) list.

[michalvavrik]

So what has changed is that we now perform this security check eagerly (before serialization etc.). This should help #44667, but you can only do this for authenticated requests for postponing authorization for anonymous users is not supported in Quarkus.

[Kirill-Belko]

Could you please add this fix in 3.9.5 version?

[michalvavrik]

Could you please add this fix in 3.9.5 version?

A great lot has changed in this implementation, I think it may require custom backport. Anyway, 3.9.x is not supported anymore, it's not LTS. The latest version is now 3.17 and the latest LTS is 3.15. See https://code.quarkus.io/ streams.