NPE during custom bean invocation via PreAuthorize annotation in Quarkus RESTEasy

[deidzen]

Describe the bug

According to documentation (https://quarkus.io/guides/spring-security#preauthorize), Quarkus supports custom bean invocation via PreAuthorize annotation before method executing

But starting from 3.6.8 version (I personally checked 3.6.8, 3.9.5 and current 3.16.3), this functionality in Quarkus RESTEasy is not working, it throws NullPointerException.

I see that EagerSecurityFilter class mentioned in error stacktrace was changed in 3.6.8 version (6d76eaf#diff-fbf38214479c02a3e1bae50b5b595d13c12c28e64d34246398151ef3b521e5db). Maybe that caused the issue.

Expected behavior

Custom bean is invoked through @PreAuthorize annotation succesfully

Actual behavior

NPE is thrown during custom bean invocation

java.lang.NullPointerException: Cannot load from object array because "<parameter2>" is null
	at io.quarkus.spring.security.check.PersonChecker_2d2da3d8eb389fe1c70f7b93d91d35c2a8f20142_CheckFor_check.check(Unknown Source)
	at io.quarkus.spring.security.runtime.interceptor.check.AbstractBeanMethodSecurityCheck.doApply(AbstractBeanMethodSecurityCheck.java:30)
	at io.quarkus.spring.security.runtime.interceptor.check.AbstractBeanMethodSecurityCheck.apply(AbstractBeanMethodSecurityCheck.java:26)
	at io.quarkus.resteasy.runtime.EagerSecurityFilter.applySecurityChecks(EagerSecurityFilter.java:127)
	at io.quarkus.resteasy.runtime.EagerSecurityFilter.filter(EagerSecurityFilter.java:78)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:276)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:415)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:378)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:356)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:70)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:429)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invokePropagateNotFound$6(SynchronousDispatcher.java:275)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:154)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:157)
	at org.jboss.resteasy.core.SynchronousDispatcher.invokePropagateNotFound(SynchronousDispatcher.java:260)
	at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:86)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler$1.run(VertxRequestHandler.java:97)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:627)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:842)
Resulted in: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot load from object array because "<parameter2>" is null
	at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:357)
	at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:205)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:452)
	... 17 more

How to Reproduce?

Reproducer: https://github.com/deidzen/quarkus-preauthorized-test

Steps to reproduce:

1. Pull the reproducer.
2. Run mvn clean test . 2 tests will fail with 500 error
   java.lang.NullPointerException: Cannot load from object array because "<parameter2>" is null

For compare you can switch to 3.6.7 Quarkus version (quarkus-3.6.7-resteasy branch) and try once again - tests will pass

Output of uname -a or ver

Microsoft Windows [Version 10.0.26100.2033]

Output of java -version

17.0.10, vendor: Oracle OpenJDK

Quarkus version or git rev

3.6.8+ (I personally checked 3.6.8, 3.9.5 and current 3.16.3)

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)

Additional information

No response

[sberyozkin]

@deidzen While this issue is being addressed, you may want to to have a look at @PermissionChecker in Quarkus 3.17.0.CR1:

https://quarkus.io/version/main/guides/security-authorize-web-endpoints-reference#permission-checker

We believe it offers a simpler alternative to @PreAuthorize