From e69be6c85dcd31112dd594089056c0063d398dbd Mon Sep 17 00:00:00 2001
From: Jose <josecarvajalhilario@gmail.com>
Date: Fri, 14 Oct 2022 11:08:24 +0200
Subject: [PATCH] Support setting the RolesAllowed in the Panache REST Data
 extension

With these changes, we can specify the roles using the annotations `@ResourceProperties` at resource level, and `@MethodProperties` for method level.
Fix https://github.com/quarkusio/quarkus/issues/28507

(cherry picked from commit dda7d784350e9a0badaebdb647f85f4ca3e71b9f)
---
 docs/src/main/asciidoc/rest-data-panache.adoc |  2 ++
 .../openapi/OpenApiIntegrationTest.java       |  7 +++-
 .../repository/CollectionsResource.java       |  5 ++-
 .../openapi/OpenApiIntegrationTest.java       |  7 +++-
 .../repository/CollectionsResource.java       |  5 ++-
 .../deployment/JaxRsResourceImplementor.java  | 16 ++++-----
 .../panache/deployment/RestDataProcessor.java |  7 +---
 .../methods/AddMethodImplementor.java         | 11 +++---
 .../methods/CountMethodImplementor.java       |  6 ++--
 .../methods/DeleteMethodImplementor.java      |  6 ++--
 .../methods/GetMethodImplementor.java         |  6 ++--
 .../methods/ListMethodImplementor.java        |  7 ++--
 .../methods/StandardMethodImplementor.java    | 34 ++++++++++++++-----
 .../methods/UpdateMethodImplementor.java      | 11 +++---
 .../methods/hal/HalMethodImplementor.java     |  5 +--
 .../methods/hal/ListHalMethodImplementor.java |  7 ++--
 .../properties/MethodProperties.java          |  9 ++++-
 .../properties/ResourceProperties.java        | 13 ++++++-
 .../ResourcePropertiesProvider.java           | 11 +++++-
 .../deployment/utils/ResponseImplementor.java | 14 +++++---
 .../rest/data/panache/MethodProperties.java   |  7 ++++
 .../rest/data/panache/ResourceProperties.java |  7 ++++
 .../ResourcePropertiesProvider.java           |  4 +--
 23 files changed, 147 insertions(+), 60 deletions(-)

diff --git a/docs/src/main/asciidoc/rest-data-panache.adoc b/docs/src/main/asciidoc/rest-data-panache.adoc
index 2f10580f48693..3d66a770412c1 100644
--- a/docs/src/main/asciidoc/rest-data-panache.adoc
+++ b/docs/src/main/asciidoc/rest-data-panache.adoc
@@ -307,6 +307,7 @@ public interface PeopleResource extends PanacheEntityResource<Person, Long> {
 
 * `exposed` - whether resource could be exposed. A global resource property that can be overridden for each method. Default is `true`.
 * `path` - resource base path. Default path is a hyphenated lowercase resource name without a suffix of `resource` or `controller`.
+* `rolesAllowed` - List of the security roles permitted to access the resources. It needs a Quarkus security extension to be present, otherwise it will be ignored. Default is empty.
 * `paged` - whether collection responses should be paged or not.
 First, last, previous and next page URIs are included in the response headers if they exist.
 Request page index and size are taken from the `page` and `size` query parameters that default to `0` and `20` respectively.
@@ -319,6 +320,7 @@ Default is `false`.
 
 * `exposed` - does not expose a particular HTTP verb when set to `false`. Default is `true`.
 * `path` - operation path (this is appended to the resource base path). Default is an empty string.
+* `rolesAllowed` - List of the security roles permitted to access this operation. It needs a Quarkus security extension to be present, otherwise it will be ignored. Default is empty.
 
 == Query parameters
 
diff --git a/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java b/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java
index f948620249797..93d05cd00d4cf 100644
--- a/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java
+++ b/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java
@@ -38,7 +38,8 @@ class OpenApiIntegrationTest {
             .setForcedDependencies(List.of(
                     Dependency.of("io.quarkus", "quarkus-smallrye-openapi", Version.getVersion()),
                     Dependency.of("io.quarkus", "quarkus-jdbc-h2-deployment", Version.getVersion()),
-                    Dependency.of("io.quarkus", "quarkus-resteasy-jsonb-deployment", Version.getVersion())))
+                    Dependency.of("io.quarkus", "quarkus-resteasy-jsonb-deployment", Version.getVersion()),
+                    Dependency.of("io.quarkus", "quarkus-security-deployment", Version.getVersion())))
             .setRun(true);
 
     @Test
@@ -52,9 +53,13 @@ public void testOpenApiForGeneratedResources() {
                 .body("paths.'/collections'.get.tags", Matchers.hasItem("CollectionsResource"))
                 .body("paths.'/collections'", Matchers.hasKey("post"))
                 .body("paths.'/collections'.post.tags", Matchers.hasItem("CollectionsResource"))
+                .body("paths.'/collections'.post.security[0].SecurityScheme", Matchers.hasItem("user"))
                 .body("paths.'/collections/{id}'", Matchers.hasKey("get"))
+                .body("paths.'/collections/{id}'.get.security[0].SecurityScheme", Matchers.hasItem("user"))
                 .body("paths.'/collections/{id}'", Matchers.hasKey("put"))
+                .body("paths.'/collections/{id}'.put.security[0].SecurityScheme", Matchers.hasItem("user"))
                 .body("paths.'/collections/{id}'", Matchers.hasKey("delete"))
+                .body("paths.'/collections/{id}'.delete.security[0].SecurityScheme", Matchers.hasItem("admin"))
                 .body("paths.'/empty-list-items'", Matchers.hasKey("get"))
                 .body("paths.'/empty-list-items'.get.tags", Matchers.hasItem("EmptyListItemsResource"))
                 .body("paths.'/empty-list-items'", Matchers.hasKey("post"))
diff --git a/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/repository/CollectionsResource.java b/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/repository/CollectionsResource.java
index 428e6a5be54fb..55379c59b2f56 100644
--- a/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/repository/CollectionsResource.java
+++ b/extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/orm/rest/data/panache/deployment/repository/CollectionsResource.java
@@ -1,8 +1,11 @@
 package io.quarkus.hibernate.orm.rest.data.panache.deployment.repository;
 
 import io.quarkus.hibernate.orm.rest.data.panache.PanacheRepositoryResource;
+import io.quarkus.rest.data.panache.MethodProperties;
 import io.quarkus.rest.data.panache.ResourceProperties;
 
-@ResourceProperties(hal = true, paged = false, halCollectionName = "item-collections")
+@ResourceProperties(hal = true, paged = false, halCollectionName = "item-collections", rolesAllowed = "user")
 public interface CollectionsResource extends PanacheRepositoryResource<CollectionsRepository, Collection, String> {
+    @MethodProperties(rolesAllowed = "admin")
+    boolean delete(String name);
 }
diff --git a/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java b/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java
index 5592a1f0bc105..af41470e90998 100644
--- a/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java
+++ b/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/openapi/OpenApiIntegrationTest.java
@@ -38,7 +38,8 @@ class OpenApiIntegrationTest {
             .setForcedDependencies(List.of(
                     Dependency.of("io.quarkus", "quarkus-smallrye-openapi", Version.getVersion()),
                     Dependency.of("io.quarkus", "quarkus-reactive-pg-client-deployment", Version.getVersion()),
-                    Dependency.of("io.quarkus", "quarkus-resteasy-reactive-jsonb-deployment", Version.getVersion())))
+                    Dependency.of("io.quarkus", "quarkus-resteasy-reactive-jsonb-deployment", Version.getVersion()),
+                    Dependency.of("io.quarkus", "quarkus-security-deployment", Version.getVersion())))
             .setRun(true);
 
     @Test
@@ -52,9 +53,13 @@ public void testOpenApiForGeneratedResources() {
                 .body("paths.'/collections'.get.tags", Matchers.hasItem("CollectionsResource"))
                 .body("paths.'/collections'", Matchers.hasKey("post"))
                 .body("paths.'/collections'.post.tags", Matchers.hasItem("CollectionsResource"))
+                .body("paths.'/collections'.post.security[0].SecurityScheme", Matchers.hasItem("user"))
                 .body("paths.'/collections/{id}'", Matchers.hasKey("get"))
+                .body("paths.'/collections/{id}'.get.security[0].SecurityScheme", Matchers.hasItem("user"))
                 .body("paths.'/collections/{id}'", Matchers.hasKey("put"))
+                .body("paths.'/collections/{id}'.put.security[0].SecurityScheme", Matchers.hasItem("user"))
                 .body("paths.'/collections/{id}'", Matchers.hasKey("delete"))
+                .body("paths.'/collections/{id}'.delete.security[0].SecurityScheme", Matchers.hasItem("admin"))
                 .body("paths.'/empty-list-items'", Matchers.hasKey("get"))
                 .body("paths.'/empty-list-items'.get.tags", Matchers.hasItem("EmptyListItemsResource"))
                 .body("paths.'/empty-list-items'", Matchers.hasKey("post"))
diff --git a/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/repository/CollectionsResource.java b/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/repository/CollectionsResource.java
index 5f9bb1fbcacf9..853e593fb6faa 100644
--- a/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/repository/CollectionsResource.java
+++ b/extensions/panache/hibernate-reactive-rest-data-panache/deployment/src/test/java/io/quarkus/hibernate/reactive/rest/data/panache/deployment/repository/CollectionsResource.java
@@ -1,8 +1,11 @@
 package io.quarkus.hibernate.reactive.rest.data.panache.deployment.repository;
 
 import io.quarkus.hibernate.reactive.rest.data.panache.PanacheRepositoryResource;
+import io.quarkus.rest.data.panache.MethodProperties;
 import io.quarkus.rest.data.panache.ResourceProperties;
 
-@ResourceProperties(hal = true, paged = false, halCollectionName = "item-collections")
+@ResourceProperties(hal = true, paged = false, halCollectionName = "item-collections", rolesAllowed = "user")
 public interface CollectionsResource extends PanacheRepositoryResource<CollectionsRepository, Collection, String> {
+    @MethodProperties(rolesAllowed = "admin")
+    boolean delete(String name);
 }
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/JaxRsResourceImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/JaxRsResourceImplementor.java
index 28995d77a5c4b..8a52d03eae3f0 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/JaxRsResourceImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/JaxRsResourceImplementor.java
@@ -37,16 +37,16 @@ class JaxRsResourceImplementor {
 
     private final List<MethodImplementor> methodImplementors;
 
-    JaxRsResourceImplementor(boolean withValidation, boolean isResteasyClassic, boolean isReactivePanache) {
-        this.methodImplementors = Arrays.asList(new GetMethodImplementor(isResteasyClassic, isReactivePanache),
-                new ListMethodImplementor(isResteasyClassic, isReactivePanache),
-                new CountMethodImplementor(isResteasyClassic, isReactivePanache),
-                new AddMethodImplementor(withValidation, isResteasyClassic, isReactivePanache),
-                new UpdateMethodImplementor(withValidation, isResteasyClassic, isReactivePanache),
-                new DeleteMethodImplementor(isResteasyClassic, isReactivePanache),
+    JaxRsResourceImplementor(Capabilities capabilities) {
+        this.methodImplementors = Arrays.asList(new GetMethodImplementor(capabilities),
+                new ListMethodImplementor(capabilities),
+                new CountMethodImplementor(capabilities),
+                new AddMethodImplementor(capabilities),
+                new UpdateMethodImplementor(capabilities),
+                new DeleteMethodImplementor(capabilities),
                 // The list hal endpoint needs to be added for both resteasy classic and resteasy reactive
                 // because the pagination links are programmatically added.
-                new ListHalMethodImplementor(isResteasyClassic, isReactivePanache));
+                new ListHalMethodImplementor(capabilities));
     }
 
     /**
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/RestDataProcessor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/RestDataProcessor.java
index 2dc465386c1a6..ccd7a5c667596 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/RestDataProcessor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/RestDataProcessor.java
@@ -65,8 +65,7 @@ void implementResources(CombinedIndexBuildItem index, List<RestDataResourceBuild
 
         ClassOutput classOutput = isResteasyClassic ? new GeneratedBeanGizmoAdaptor(resteasyClassicImplementationsProducer)
                 : new GeneratedJaxRsResourceGizmoAdaptor(resteasyReactiveImplementationsProducer);
-        JaxRsResourceImplementor jaxRsResourceImplementor = new JaxRsResourceImplementor(hasValidatorCapability(capabilities),
-                isResteasyClassic, isReactivePanache);
+        JaxRsResourceImplementor jaxRsResourceImplementor = new JaxRsResourceImplementor(capabilities);
         ResourcePropertiesProvider resourcePropertiesProvider = new ResourcePropertiesProvider(index.getIndex());
 
         for (RestDataResourceBuildItem resourceBuildItem : resourceBuildItems) {
@@ -100,10 +99,6 @@ private ResourceProperties getResourceProperties(ResourcePropertiesProvider reso
         return resourcePropertiesProvider.getForInterface(resourceMetadata.getResourceInterface());
     }
 
-    private boolean hasValidatorCapability(Capabilities capabilities) {
-        return capabilities.isPresent(Capability.HIBERNATE_VALIDATOR);
-    }
-
     private boolean hasAnyJsonCapabilityForResteasyClassic(Capabilities capabilities) {
         return capabilities.isPresent(Capability.RESTEASY_JSON_JSONB)
                 || capabilities.isPresent(Capability.RESTEASY_JSON_JACKSON);
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/AddMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/AddMethodImplementor.java
index 5bbf4c6e7bef8..21010ea098ec4 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/AddMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/AddMethodImplementor.java
@@ -6,6 +6,7 @@
 import javax.validation.Valid;
 import javax.ws.rs.core.Response;
 
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
 import io.quarkus.gizmo.MethodCreator;
@@ -28,11 +29,8 @@ public final class AddMethodImplementor extends StandardMethodImplementor {
 
     private static final String REL = "add";
 
-    private final boolean withValidation;
-
-    public AddMethodImplementor(boolean withValidation, boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
-        this.withValidation = withValidation;
+    public AddMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
     }
 
     /**
@@ -112,8 +110,9 @@ protected void implementInternal(ClassCreator classCreator, ResourceMetadata res
         addConsumesAnnotation(methodCreator, APPLICATION_JSON);
         addProducesJsonAnnotation(methodCreator, resourceProperties);
         addLinksAnnotation(methodCreator, resourceMetadata.getEntityType(), REL);
+        addSecurityAnnotations(methodCreator, resourceProperties);
         // Add parameter annotations
-        if (withValidation) {
+        if (hasValidatorCapability()) {
             methodCreator.getParameterAnnotations(0).addAnnotation(Valid.class);
         }
 
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/CountMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/CountMethodImplementor.java
index 10e2c86f39e4a..899d511dc502e 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/CountMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/CountMethodImplementor.java
@@ -5,6 +5,7 @@
 
 import javax.ws.rs.core.Response;
 
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
 import io.quarkus.gizmo.MethodCreator;
@@ -27,8 +28,8 @@ public final class CountMethodImplementor extends StandardMethodImplementor {
 
     private static final String REL = "count";
 
-    public CountMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
+    public CountMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
     }
 
     /**
@@ -79,6 +80,7 @@ protected void implementInternal(ClassCreator classCreator, ResourceMetadata res
         addGetAnnotation(methodCreator);
         addProducesAnnotation(methodCreator, APPLICATION_JSON);
         addPathAnnotation(methodCreator, appendToPath(resourceProperties.getPath(RESOURCE_METHOD_NAME), RESOURCE_METHOD_NAME));
+        addSecurityAnnotations(methodCreator, resourceProperties);
         if (!isResteasyClassic()) {
             // We only add the Links annotation in Resteasy Reactive because Resteasy Classic ignores the REL parameter:
             // it always uses "list" for GET methods, so it interferes with the list implementation.
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/DeleteMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/DeleteMethodImplementor.java
index 5e80b8a457ce4..3d5374aaafcec 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/DeleteMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/DeleteMethodImplementor.java
@@ -5,6 +5,7 @@
 
 import javax.ws.rs.core.Response;
 
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.BranchResult;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
@@ -28,8 +29,8 @@ public final class DeleteMethodImplementor extends StandardMethodImplementor {
 
     private static final String REL = "remove";
 
-    public DeleteMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
+    public DeleteMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
     }
 
     /**
@@ -89,6 +90,7 @@ protected void implementInternal(ClassCreator classCreator, ResourceMetadata res
         addDeleteAnnotation(methodCreator);
         addPathParamAnnotation(methodCreator.getParameterAnnotations(0), "id");
         addLinksAnnotation(methodCreator, resourceMetadata.getEntityType(), REL);
+        addSecurityAnnotations(methodCreator, resourceProperties);
 
         ResultHandle resource = methodCreator.readInstanceField(resourceField, methodCreator.getThis());
         ResultHandle id = methodCreator.getMethodParam(0);
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/GetMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/GetMethodImplementor.java
index f9dac35a6b056..9a5504e3fb4af 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/GetMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/GetMethodImplementor.java
@@ -5,6 +5,7 @@
 
 import javax.ws.rs.core.Response;
 
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.BranchResult;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
@@ -28,8 +29,8 @@ public final class GetMethodImplementor extends StandardMethodImplementor {
 
     private static final String REL = "self";
 
-    public GetMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
+    public GetMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
     }
 
     /**
@@ -90,6 +91,7 @@ protected void implementInternal(ClassCreator classCreator, ResourceMetadata res
         addPathAnnotation(methodCreator, appendToPath(resourceProperties.getPath(RESOURCE_METHOD_NAME), "{id}"));
         addGetAnnotation(methodCreator);
         addProducesJsonAnnotation(methodCreator, resourceProperties);
+        addSecurityAnnotations(methodCreator, resourceProperties);
 
         addPathParamAnnotation(methodCreator.getParameterAnnotations(0), "id");
         addLinksAnnotation(methodCreator, resourceMetadata.getEntityType(), REL);
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/ListMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/ListMethodImplementor.java
index 16248f32957b2..9346f5d4c7f7c 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/ListMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/ListMethodImplementor.java
@@ -10,6 +10,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
 import io.quarkus.gizmo.MethodCreator;
@@ -41,8 +42,8 @@ public final class ListMethodImplementor extends StandardMethodImplementor {
 
     private final SortImplementor sortImplementor = new SortImplementor();
 
-    public ListMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
+    public ListMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
 
         this.paginationImplementor = new PaginationImplementor();
     }
@@ -142,6 +143,7 @@ private void implementPaged(ClassCreator classCreator, ResourceMetadata resource
         addPathAnnotation(methodCreator, resourceProperties.getPath(RESOURCE_METHOD_NAME));
         addProducesAnnotation(methodCreator, APPLICATION_JSON);
         addLinksAnnotation(methodCreator, resourceMetadata.getEntityType(), REL);
+        addSecurityAnnotations(methodCreator, resourceProperties);
         addSortQueryParamValidatorAnnotation(methodCreator);
         addQueryParamAnnotation(methodCreator.getParameterAnnotations(0), "sort");
         addQueryParamAnnotation(methodCreator.getParameterAnnotations(1), "page");
@@ -207,6 +209,7 @@ private void implementNotPaged(ClassCreator classCreator, ResourceMetadata resou
         addPathAnnotation(methodCreator, resourceProperties.getPath(RESOURCE_METHOD_NAME));
         addProducesAnnotation(methodCreator, APPLICATION_JSON);
         addLinksAnnotation(methodCreator, resourceMetadata.getEntityType(), REL);
+        addSecurityAnnotations(methodCreator, resourceProperties);
         addQueryParamAnnotation(methodCreator.getParameterAnnotations(0), "sort");
 
         ResultHandle sortQuery = methodCreator.getMethodParam(0);
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/StandardMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/StandardMethodImplementor.java
index 1cb56a8484253..7b6078f238fac 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/StandardMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/StandardMethodImplementor.java
@@ -14,6 +14,8 @@
 
 import org.jboss.logging.Logger;
 
+import io.quarkus.deployment.Capabilities;
+import io.quarkus.deployment.Capability;
 import io.quarkus.gizmo.AnnotatedElement;
 import io.quarkus.gizmo.AnnotationCreator;
 import io.quarkus.gizmo.BytecodeCreator;
@@ -32,16 +34,15 @@
  */
 public abstract class StandardMethodImplementor implements MethodImplementor {
 
+    private static final String ROLES_ALLOWED_ANNOTATION = "javax.annotation.security.RolesAllowed";
     private static final Logger LOGGER = Logger.getLogger(StandardMethodImplementor.class);
 
     protected final ResponseImplementor responseImplementor;
-    private final boolean isResteasyClassic;
-    private final boolean isReactivePanache;
+    private final Capabilities capabilities;
 
-    protected StandardMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        this.isResteasyClassic = isResteasyClassic;
-        this.isReactivePanache = isReactivePanache;
-        this.responseImplementor = new ResponseImplementor(isResteasyClassic);
+    protected StandardMethodImplementor(Capabilities capabilities) {
+        this.capabilities = capabilities;
+        this.responseImplementor = new ResponseImplementor(capabilities);
     }
 
     /**
@@ -91,7 +92,7 @@ protected void addDeleteAnnotation(AnnotatedElement element) {
     }
 
     protected void addLinksAnnotation(AnnotatedElement element, String entityClassName, String rel) {
-        if (isResteasyClassic) {
+        if (isResteasyClassic()) {
             AnnotationCreator linkResource = element.addAnnotation("org.jboss.resteasy.links.LinkResource");
             linkResource.addValue("entityClassName", entityClassName);
             linkResource.addValue("rel", rel);
@@ -148,6 +149,13 @@ protected void addSortQueryParamValidatorAnnotation(AnnotatedElement element) {
         element.addAnnotation(SortQueryParamValidator.class);
     }
 
+    protected void addSecurityAnnotations(AnnotatedElement element, ResourceProperties resourceProperties) {
+        String[] rolesAllowed = resourceProperties.getRolesAllowed(getResourceMethodName());
+        if (rolesAllowed.length > 0 && hasSecurityCapability()) {
+            element.addAnnotation(ROLES_ALLOWED_ANNOTATION).add("value", rolesAllowed);
+        }
+    }
+
     protected String appendToPath(String path, String suffix) {
         if (path.endsWith("/")) {
             path = path.substring(0, path.lastIndexOf("/"));
@@ -158,11 +166,19 @@ protected String appendToPath(String path, String suffix) {
         return String.join("/", path, suffix);
     }
 
+    protected boolean hasSecurityCapability() {
+        return capabilities.isPresent(Capability.SECURITY);
+    }
+
+    protected boolean hasValidatorCapability() {
+        return capabilities.isPresent(Capability.HIBERNATE_VALIDATOR);
+    }
+
     protected boolean isResteasyClassic() {
-        return isResteasyClassic;
+        return capabilities.isPresent(Capability.RESTEASY);
     }
 
     protected boolean isNotReactivePanache() {
-        return !isReactivePanache;
+        return !capabilities.isPresent(Capability.HIBERNATE_REACTIVE);
     }
 }
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/UpdateMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/UpdateMethodImplementor.java
index b2847251ac2c0..558066874ae5a 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/UpdateMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/UpdateMethodImplementor.java
@@ -12,6 +12,7 @@
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.ArcContainer;
 import io.quarkus.arc.InstanceHandle;
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.AssignableResultHandle;
 import io.quarkus.gizmo.BranchResult;
 import io.quarkus.gizmo.BytecodeCreator;
@@ -41,11 +42,8 @@ public final class UpdateMethodImplementor extends StandardMethodImplementor {
 
     private static final String EXCEPTION_MESSAGE = "Failed to update an entity";
 
-    private final boolean withValidation;
-
-    public UpdateMethodImplementor(boolean withValidation, boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
-        this.withValidation = withValidation;
+    public UpdateMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
     }
 
     /**
@@ -145,8 +143,9 @@ protected void implementInternal(ClassCreator classCreator, ResourceMetadata res
         addConsumesAnnotation(methodCreator, APPLICATION_JSON);
         addProducesJsonAnnotation(methodCreator, resourceProperties);
         addLinksAnnotation(methodCreator, resourceMetadata.getEntityType(), REL);
+        addSecurityAnnotations(methodCreator, resourceProperties);
         // Add parameter annotations
-        if (withValidation) {
+        if (hasValidatorCapability()) {
             methodCreator.getParameterAnnotations(1).addAnnotation(Valid.class);
         }
 
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/HalMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/HalMethodImplementor.java
index 4a880938bd89e..27b78f76f84ba 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/HalMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/HalMethodImplementor.java
@@ -8,6 +8,7 @@
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.ArcContainer;
 import io.quarkus.arc.InstanceHandle;
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.BytecodeCreator;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
@@ -26,8 +27,8 @@
  */
 abstract class HalMethodImplementor extends StandardMethodImplementor {
 
-    HalMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
+    HalMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
     }
 
     /**
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/ListHalMethodImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/ListHalMethodImplementor.java
index 6c888edd013db..09da8fbfe7e73 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/ListHalMethodImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/hal/ListHalMethodImplementor.java
@@ -11,6 +11,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
+import io.quarkus.deployment.Capabilities;
 import io.quarkus.gizmo.BytecodeCreator;
 import io.quarkus.gizmo.ClassCreator;
 import io.quarkus.gizmo.FieldDescriptor;
@@ -42,8 +43,8 @@ public final class ListHalMethodImplementor extends HalMethodImplementor {
 
     private final SortImplementor sortImplementor = new SortImplementor();
 
-    public ListHalMethodImplementor(boolean isResteasyClassic, boolean isReactivePanache) {
-        super(isResteasyClassic, isReactivePanache);
+    public ListHalMethodImplementor(Capabilities capabilities) {
+        super(capabilities);
         this.paginationImplementor = new PaginationImplementor();
     }
 
@@ -133,6 +134,7 @@ private void implementPaged(ClassCreator classCreator, ResourceMetadata resource
         addPathAnnotation(methodCreator, resourceProperties.getPath(RESOURCE_METHOD_NAME));
         addGetAnnotation(methodCreator);
         addProducesAnnotation(methodCreator, APPLICATION_HAL_JSON);
+        addSecurityAnnotations(methodCreator, resourceProperties);
         addSortQueryParamValidatorAnnotation(methodCreator);
         addQueryParamAnnotation(methodCreator.getParameterAnnotations(0), "sort");
         addQueryParamAnnotation(methodCreator.getParameterAnnotations(1), "page");
@@ -207,6 +209,7 @@ private void implementNotPaged(ClassCreator classCreator, ResourceMetadata resou
         addPathAnnotation(methodCreator, resourceProperties.getPath(RESOURCE_METHOD_NAME));
         addGetAnnotation(methodCreator);
         addProducesAnnotation(methodCreator, APPLICATION_HAL_JSON);
+        addSecurityAnnotations(methodCreator, resourceProperties);
         addQueryParamAnnotation(methodCreator.getParameterAnnotations(0), "sort");
 
         ResultHandle sortQuery = methodCreator.getMethodParam(0);
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/MethodProperties.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/MethodProperties.java
index d47615d9b2523..e9f6b48e05928 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/MethodProperties.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/MethodProperties.java
@@ -6,9 +6,12 @@ public class MethodProperties {
 
     private final String path;
 
-    public MethodProperties(boolean exposed, String path) {
+    private final String[] rolesAllowed;
+
+    public MethodProperties(boolean exposed, String path, String[] rolesAllowed) {
         this.exposed = exposed;
         this.path = path;
+        this.rolesAllowed = rolesAllowed;
     }
 
     public boolean isExposed() {
@@ -18,4 +21,8 @@ public boolean isExposed() {
     public String getPath() {
         return path;
     }
+
+    public String[] getRolesAllowed() {
+        return rolesAllowed;
+    }
 }
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourceProperties.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourceProperties.java
index 4318e021166a9..9208b8ef049c0 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourceProperties.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourceProperties.java
@@ -14,15 +14,18 @@ public class ResourceProperties {
 
     private final String halCollectionName;
 
+    private final String[] rolesAllowed;
+
     private final Map<String, MethodProperties> methodProperties;
 
     public ResourceProperties(boolean exposed, String path, boolean paged, boolean hal, String halCollectionName,
-            Map<String, MethodProperties> methodProperties) {
+            String[] rolesAllowed, Map<String, MethodProperties> methodProperties) {
         this.exposed = exposed;
         this.path = path;
         this.paged = paged;
         this.hal = hal;
         this.halCollectionName = halCollectionName;
+        this.rolesAllowed = rolesAllowed;
         this.methodProperties = methodProperties;
     }
 
@@ -68,4 +71,12 @@ public boolean isHal() {
     public String getHalCollectionName() {
         return halCollectionName;
     }
+
+    public String[] getRolesAllowed(String methodName) {
+        if (methodProperties.containsKey(methodName)) {
+            return methodProperties.get(methodName).getRolesAllowed();
+        }
+
+        return rolesAllowed;
+    }
 }
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourcePropertiesProvider.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourcePropertiesProvider.java
index 13fc2fd1bcc80..c2c3e72f025b2 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourcePropertiesProvider.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/properties/ResourcePropertiesProvider.java
@@ -41,6 +41,7 @@ public ResourceProperties getForInterface(String resourceInterface) {
                 isPaged(annotation),
                 isHal(annotation),
                 getHalCollectionName(annotation, resourceInterface),
+                getRolesAllowed(annotation),
                 methodProperties);
     }
 
@@ -74,7 +75,7 @@ private void collectMethodProperties(DotName className, Map<String, MethodProper
     }
 
     private MethodProperties getMethodProperties(AnnotationInstance annotation) {
-        return new MethodProperties(isExposed(annotation), getPath(annotation));
+        return new MethodProperties(isExposed(annotation), getPath(annotation), getRolesAllowed(annotation));
     }
 
     private boolean isHal(AnnotationInstance annotation) {
@@ -115,4 +116,12 @@ private String getHalCollectionName(AnnotationInstance annotation, String resour
         }
         return ResourceName.fromClass(resourceInterface);
     }
+
+    private String[] getRolesAllowed(AnnotationInstance annotation) {
+        if (annotation != null && annotation.value("rolesAllowed") != null) {
+            return annotation.value("rolesAllowed").asStringArray();
+        }
+
+        return new String[0];
+    }
 }
diff --git a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/utils/ResponseImplementor.java b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/utils/ResponseImplementor.java
index ab14843701de0..2b0f049d8cce4 100644
--- a/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/utils/ResponseImplementor.java
+++ b/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/utils/ResponseImplementor.java
@@ -13,6 +13,8 @@
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.ArcContainer;
 import io.quarkus.arc.InstanceHandle;
+import io.quarkus.deployment.Capabilities;
+import io.quarkus.deployment.Capability;
 import io.quarkus.gizmo.BytecodeCreator;
 import io.quarkus.gizmo.MethodDescriptor;
 import io.quarkus.gizmo.ResultHandle;
@@ -22,10 +24,10 @@
 
 public final class ResponseImplementor {
 
-    private final boolean isResteasyClassic;
+    private final Capabilities capabilities;
 
-    public ResponseImplementor(boolean isResteasyClassic) {
-        this.isResteasyClassic = isResteasyClassic;
+    public ResponseImplementor(Capabilities capabilities) {
+        this.capabilities = capabilities;
     }
 
     public ResultHandle ok(BytecodeCreator creator, ResultHandle entity) {
@@ -62,7 +64,7 @@ public ResultHandle getEntityUrl(BytecodeCreator creator, ResultHandle entity) {
                 MethodDescriptor.ofMethod(ArcContainer.class, "instance", InstanceHandle.class, Class.class,
                         Annotation[].class),
                 arcContainer,
-                creator.loadClassFromTCCL(isResteasyClassic ? ResteasyHalService.class : ResteasyReactiveHalService.class),
+                creator.loadClassFromTCCL(isResteasyClassic() ? ResteasyHalService.class : ResteasyReactiveHalService.class),
                 creator.loadNull());
         ResultHandle halService = creator.invokeInterfaceMethod(
                 MethodDescriptor.ofMethod(InstanceHandle.class, "get", Object.class),
@@ -96,4 +98,8 @@ private ResultHandle getResponseBuilder(BytecodeCreator creator, int status) {
         return creator.invokeStaticMethod(
                 ofMethod(Response.class, "status", ResponseBuilder.class, int.class), creator.load(status));
     }
+
+    private boolean isResteasyClassic() {
+        return capabilities.isPresent(Capability.RESTEASY);
+    }
 }
diff --git a/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/MethodProperties.java b/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/MethodProperties.java
index 5c0c8bbc26ff7..613ed3cae8ed4 100644
--- a/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/MethodProperties.java
+++ b/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/MethodProperties.java
@@ -30,4 +30,11 @@
      * Default: ""
      */
     String path() default "";
+
+    /**
+     * List of the security roles permitted to access this operation.
+     * <p>
+     * Default: ""
+     */
+    String[] rolesAllowed() default {};
 }
diff --git a/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/ResourceProperties.java b/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/ResourceProperties.java
index e1865e8b7ef95..5b15b905b7846 100644
--- a/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/ResourceProperties.java
+++ b/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/ResourceProperties.java
@@ -57,4 +57,11 @@
      * Default: hyphenated resource name without a suffix. Ignored suffixes are `Controller` and `Resource`.
      */
     String halCollectionName() default "";
+
+    /**
+     * List of the security roles permitted to access the resources.
+     * <p>
+     * Default: ""
+     */
+    String[] rolesAllowed() default {};
 }
diff --git a/extensions/spring-data-rest/deployment/src/main/java/io/quarkus/spring/data/rest/deployment/ResourcePropertiesProvider.java b/extensions/spring-data-rest/deployment/src/main/java/io/quarkus/spring/data/rest/deployment/ResourcePropertiesProvider.java
index 16bf0966e5a4a..4613e4e22150e 100644
--- a/extensions/spring-data-rest/deployment/src/main/java/io/quarkus/spring/data/rest/deployment/ResourcePropertiesProvider.java
+++ b/extensions/spring-data-rest/deployment/src/main/java/io/quarkus/spring/data/rest/deployment/ResourcePropertiesProvider.java
@@ -41,7 +41,7 @@ public ResourceProperties getResourceProperties(String interfaceName) {
         String halCollectionName = getHalCollectionName(annotation, ResourceName.fromClass(interfaceName));
 
         return new ResourceProperties(isExposed(annotation), resourcePath, paged, true, halCollectionName,
-                getMethodProperties(repositoryInterfaceName));
+                new String[0], getMethodProperties(repositoryInterfaceName));
     }
 
     private Map<String, MethodProperties> getMethodProperties(DotName interfaceName) {
@@ -56,7 +56,7 @@ private Map<String, MethodProperties> getMethodProperties(DotName interfaceName)
     }
 
     private MethodProperties getMethodProperties(AnnotationInstance annotation) {
-        return new MethodProperties(isExposed(annotation), getPath(annotation, ""));
+        return new MethodProperties(isExposed(annotation), getPath(annotation, ""), new String[0]);
     }
 
     private AnnotationInstance findClassAnnotation(DotName interfaceName) {