Figure out a consistent strategy for inheritance of security annotations

[FroMage]

Description

In https://github.com/quarkusio/quarkus/pull/50987/files#r2524146520 we raised the issue that CDI says that interceptors are not applied to super-type methods (at least that's how I understood it).

To put the topic in a simple example, this is about cases like:

public interface NotSecured {
 public void abstractMethod();
 public default void defaultMethod() {}
}

@Authenticated
public interface Secured extends NotSecured {
}

This applies to JAX-RS methods (for methods with implementations) but also Jakarta Data repositories where abstract methods are auto-implemented by Hibernate, or REST with Panache, and other parts of Quarkus where extensions give you default classes which you can then secure via subclasses.

The intuitive thing for users is that once you add a security annotation on a class, you secure every single one of its methods, even the inherited ones. Otherwise you must re-define overrides that do nothing, or delegate up, and make sure you never miss one.

@michalvavrik mentionned this being discussed in the past in at least:

• RBAC Security doesn't work with super classes #6251 (comment)
• RolesAllowed annotations on interface are ignored #16840 (comment) (or better from the same issue RolesAllowed annotations on interface are ignored #16840 (comment) )
• Security Annotations Does not work on JaxRS resource interface #22530 (comment)
• JAX-RS default security is applied to annotated, inherited endpoints #38754 (comment)
• Support @PermissionsAllowed security annotation on REST Data Panache endpoints #51188

And said:

having class-level annotations inherited on parent/subclasses goes against how I personally read https://jakarta.ee/specifications/annotations/3.0/annotations-spec-3.0#general-guidelines-for-inheritance-of-annotations for example:

Class-level annotations only affect the class they annotate and its members, that is, its methods and fields. They never affect a member declared by a superclass, even if it is not hidden or overridden by the class in question.

We should have a discussion about this, see if this only applies to security annotations or other annotations too, and decide if we need to change our current implementation and behaviour for better consistency.

CC @michalvavrik @mkouba @gavinking @yrodiere @geoand

Implementation ideas

No response

[quarkus-bot]

/cc @sberyozkin (security)

[mkouba]

In https://github.com/quarkusio/quarkus/pull/50987/files#r2524146520 we raised the issue that CDI says that interceptors are not applied to super-type methods (at least that's how I understood it).

I think that there's another problem with your example: "The interfaces implemented by a class never contribute annotations to the class itself or any of its members." (General Guidelines for Inheritance of Annotations)