Quarkus REST Jackson: Improve detection of generic fields annotated with the @SecureField and allow to explicitly enable secure serialization

[michalvavrik]

• closes: Failing to apply @SecureField to a generic with nested objects. #44646
• fixes reproducer that requires to resolve type params to actual types
  • this is done only for the endpoint return type (AKA once, it shouldn't have impact on time required to detect secure field)
• however this won't work for more complex scenarios and personally I think it was never aim; for that reason, this PR propose to always include SecurityCustomSerialization when secure serialization is explicitly enabled with the EnableSecureSerialization annotation, which gives users means to use @SecureField for non-trivial scenarios
• docs is improved to so that users understand secure serialization is enabled implicitly on the best-effort bases and they may need to enable it explicitly

[github-actions]

🙈 The PR is closed and the preview is expired.

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit e8fd90a.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit e8fd90a.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

[geoand]

Thanks a lot @michalvavrik!

[suchwerk]

Thanks @michalvavrik for the quick fix / enhancement!

[FroMage]

We have better type mapping functions already in place that do better than just handling simple cases like the field type being a type variable. Probably this could be improved.

[michalvavrik]

Can you be more specific? Both in scenarios you have in mind and where these mapping functions are already in place, because I don't know what you mean.

Also, I didn't want to do better because last time I improved this detection there was a complain that it prolongs build-time execution. So if your proposal won't have negative effect, I'm happy to apply it.

[michalvavrik]

Few hints should do, I just want to better understand what do you mean and make sure it wouldn't lead to increased build-time execution.

[FroMage]

I was thinking of the logic we already do to resolve type parameters in resteasy reactive. I think via JandexUtil and TypeMapper, but I can only find usages of them to obtain method parameter or return type signatures or the list of type parameters. I can't find anywhere where we resolve an entire Type with type parameters substituted. Probably I dreamed this :(

[michalvavrik]

np, if you run into this or @geoand knows, please let me know. it's not on the top of my list tbh, so no hurry

[geoand]

I can't find anywhere where we resolve an entire Type with type parameters substituted. Probably I dreamed this

AFAIR, the cases we've it for are method parameters and method return types