Multiple HttpAuthenticationMechanism in EAR

Since Payara Server 5.2020.3

Within the Security API specification, an HttpAuthenticationMechanism can be defined to retrieve the user credentials from the HTTP Request. These credentials are then used by the IdentityStore to validate the user. For an introduction, have a look at this article

A restriction of the current Security API specification is that only 1 HttpAuthenticationMechanism can be defined within an application. This restriction also applies to an EAR file where you can have multiple Web application bundled.

There is already an issue to address this restriction at the Security API project, but as an intermediate solution, we have introduced a new web.xml parameter within Payara so that you can define an HttpAuthenticationMechanism for each Web applications in an EAR artifact.


In order to configure a specific HttpAuthenticationMechanism for a Web application, define the parameter within the web.xml file.


The supported values are




Use BasicAuthenticationMechanism as mechanism.


Use FormAuthenticationMechanism as mechanism.


Use CustomFormAuthenticationMechanism as mechanism.


Use the custom Payara JWTAuthenticationMechanism as mechanism.


Use the custom Payara CertificateAuthenticationMechanism as mechanism.


Use the custom Payara AzureOpenIdAuthenticationMechanism as mechanism.


Use the custom Payara GoogleOpenIdAuthenticationMechanism as mechanism.


Use the custom Payara OAuth2AuthenticationMechanism as mechanism.

<any Fully Qualified Class Name>

Use the HttpAuthenticationMechanism indicated by the classname.

When no parameter is specified, the standard rules of the Security API are active (only 1 allowed per artifact).