Multiple HttpAuthenticationMechanism in EAR
Since Payara Server 5.2020.3
Within the Security API specification, an
HttpAuthenticationMechanism can be defined to retrieve the user credentials from the HTTP Request. These credentials are then used by the IdentityStore to validate the user. For an introduction, have a look at this article
A restriction of the current Security API specification is that only 1
HttpAuthenticationMechanism can be defined within an application. This restriction also applies to an EAR file where you can have multiple Web application bundled.
There is already an issue to address this restriction at the Security API project, but as an intermediate solution, we have introduced a new
web.xml parameter within Payara so that you can define an
HttpAuthenticationMechanism for each Web applications in an EAR artifact.
In order to configure a specific
HttpAuthenticationMechanism for a Web application, define the parameter
fish.payara.security.mechanism within the web.xml file.
There must not be any CDI beans in any of the EAR modules that implement
HttpAuthenticationMechanism or they must be disabled (e.g. by the
@Vetoed annotation or using the
exclude elements in
beans.xml). Payara Server enables an internal implementation of
HttpAuthenticationMechanism which provides different authentication mechanisms to different web modules and any other enabled mechanism would clash and an exception would be raised.
The supported values are
Use BasicAuthenticationMechanism as mechanism.
Use FormAuthenticationMechanism as mechanism.
Use CustomFormAuthenticationMechanism as mechanism.
Use the custom Payara JWTAuthenticationMechanism as mechanism.
Use the custom Payara CertificateAuthenticationMechanism as mechanism.
Use the custom Payara AzureOpenIdAuthenticationMechanism as mechanism.
Use the custom Payara GoogleOpenIdAuthenticationMechanism as mechanism.
Use the custom Payara OAuth2AuthenticationMechanism as mechanism.
<any Fully Qualified Class Name>
When no parameter is specified, the standard rules of the Security API are active (only 1 allowed per artifact).