Merge pull request #45366 from michalvavrik/feature/move-deny-unannot…

…ated-to-buildtime-fixed

Drop `@ConfigMapping` security interface with `BUILD_AND_RUN_TIME_FIXED` as we don't need `denyUnannotated` in the runtime config phase

extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityConfig.java

@@ -34,4 +34,25 @@ public interface SecurityConfig {
      */
     @ConfigDocMapKey("provider-name")
     Map<String, String> securityProviderConfig();
+
+    /**
+     * If set to true, access to all methods of beans that have any security annotations on other members will be denied by
+     * default.
+     * E.g. if enabled, in the following bean, <code>methodB</code> will be denied.
+     *
+     * <pre>
+     *   &#064;ApplicationScoped
+     *   public class A {
+     *      &#064;RolesAllowed("admin")
+     *      public void methodA() {
+     *          ...
+     *      }
+     *      public void methodB() {
+     *          ...
+     *      }
+     *   }
+     * </pre>
+     */
+    @WithDefault("false")
+    boolean denyUnannotatedMembers();
 }

extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java

@@ -109,7 +109,6 @@
 import io.quarkus.security.runtime.IdentityProviderManagerCreator;
 import io.quarkus.security.runtime.QuarkusPermissionSecurityIdentityAugmentor;
 import io.quarkus.security.runtime.QuarkusSecurityRolesAllowedConfigBuilder;
-import io.quarkus.security.runtime.SecurityBuildTimeConfig;
 import io.quarkus.security.runtime.SecurityCheckRecorder;
 import io.quarkus.security.runtime.SecurityIdentityAssociation;
 import io.quarkus.security.runtime.SecurityIdentityProxy;
@@ -550,9 +549,8 @@ void transformAdditionalSecuredClassesToMethods(List<AdditionalSecuredClassesBui
      */
     @BuildStep
     void transformSecurityAnnotations(BuildProducer<AnnotationsTransformerBuildItem> transformers,
-            List<AdditionalSecuredMethodsBuildItem> additionalSecuredMethods,
-            SecurityBuildTimeConfig config) {
-        if (config.denyUnannotated()) {
+            List<AdditionalSecuredMethodsBuildItem> additionalSecuredMethods) {
+        if (security.denyUnannotatedMembers()) {
             transformers.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation
                     .forClasses()
                     .whenClass(new DenyUnannotatedPredicate())
@@ -747,7 +745,7 @@ MethodSecurityChecks gatherSecurityChecks(
             BuildProducer<ClassSecurityCheckStorageBuildItem> classSecurityCheckStorageProducer,
             List<RegisterClassSecurityCheckBuildItem> registerClassSecurityCheckBuildItems,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClassBuildItemBuildProducer,
-            List<AdditionalSecurityCheckBuildItem> additionalSecurityChecks, SecurityBuildTimeConfig config,
+            List<AdditionalSecurityCheckBuildItem> additionalSecurityChecks,
             PermissionSecurityChecksBuilderBuildItem permissionSecurityChecksBuilderBuildItem,
             BuildProducer<GeneratedClassBuildItem> generatedClassesProducer,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClassesProducer) {
@@ -765,7 +763,7 @@ MethodSecurityChecks gatherSecurityChecks(
 
         IndexView index = beanArchiveBuildItem.getIndex();
         Map<MethodInfo, SecurityCheck> securityChecks = gatherSecurityAnnotations(index, configExpSecurityCheckProducer,
-                additionalSecured.values(), config.denyUnannotated(), recorder, configBuilderProducer,
+                additionalSecured.values(), security.denyUnannotatedMembers(), recorder, configBuilderProducer,
                 reflectiveClassBuildItemBuildProducer, rolesAllowedConfigExpResolverBuildItems,
                 registerClassSecurityCheckBuildItems, classSecurityCheckStorageProducer, hasAdditionalSecAnn,
                 additionalSecurityAnnotationItems, permissionSecurityChecksBuilderBuildItem.instance,