Multiple HttpAuthenticationMechanism in EAR

Since Payara Server 5.2020.3

Within the Security API specification, an HttpAuthenticationMechanism can be defined to retrieve the user credentials from the HTTP Request. These credentials are then used by the IdentityStore to validate the user. For an introduction, have a look at this article

A restriction of the current Security API specification is that only 1 HttpAuthenticationMechanism can be defined within an application. This restriction also applies to an EAR file where you can have multiple Web application bundled.

There is already an issue to address this restriction at the Security API project, but as an intermediate solution, we have introduced a new web.xml parameter within Payara so that you can define an HttpAuthenticationMechanism for each Web applications in an EAR artifact.


In order to configure a specific HttpAuthenticationMechanism for a Web application, define the parameter within the web.xml file.

There must not be any CDI beans in any of the EAR modules that implement HttpAuthenticationMechanism or they must be disabled (e.g. by the @Vetoed annotation or using the scan and exclude elements in beans.xml). Payara Server enables an internal implementation of HttpAuthenticationMechanism which provides different authentication mechanisms to different web modules and any other enabled mechanism would clash and an exception would be raised.

The supported values are




Use BasicAuthenticationMechanism as mechanism.


Use FormAuthenticationMechanism as mechanism.


Use CustomFormAuthenticationMechanism as mechanism.


Use the custom Payara JWTAuthenticationMechanism as mechanism.


Use the custom Payara CertificateAuthenticationMechanism as mechanism.


Use the custom Payara AzureOpenIdAuthenticationMechanism as mechanism.


Use the custom Payara GoogleOpenIdAuthenticationMechanism as mechanism.


Use the custom Payara OAuth2AuthenticationMechanism as mechanism.

<any Fully Qualified Class Name>

Use the HttpAuthenticationMechanism indicated by the classname.

When no parameter is specified, the standard rules of the Security API are active (only 1 allowed per artifact).