Multiple HttpAuthenticationMechanisms in EAR Application

Within the Security API specification, an HttpAuthenticationMechanism can be defined to retrieve the user credentials from the HTTP Request. These credentials are then used by any configured identity stores to validate the user.

However, a restriction of the Security API specification is that only one HttpAuthenticationMechanism can be defined per application. This restriction is also in place for EAR applications file where it’s possible to have multiple web modules.

Payara Server allows to circumvent this restriction so that multiple authentication mechanisms are used in an EAR application that hosts more than one Web module. To this effect, each web module must configure its own authentication mechanism separately.

In order to use this feature, there must not be any custom HttpAuthenticationMechanism implementations bundled in any of the modules hosted in the EAR artifact. If this is the case, the feature will not work as intended.
This behaviour is specific to the Payara Platform and not compatible with the Jakarta Security specification.

How to Configure

In order to configure a specific HttpAuthenticationMechanism for a Web application, define the fish.payara.security.mechanism parameter in the web.xml deployment descriptor like in the following case:

<context-param>
    <param-name>fish.payara.security.mechanism</param-name>
    <param-value>JWT</param-value>
</context-param>

The following mechanisms can be used:

Value Description

Basic

Use BasicAuthenticationMechanism as mechanism.

Form

Use FormAuthenticationMechanism as mechanism.

CustomForm

Use CustomFormAuthenticationMechanism as mechanism.

JWT

Use the custom Payara JWTAuthenticationMechanism as mechanism.

Certificate

Use the custom Payara CertificateAuthenticationMechanism as mechanism.

OIDC

Use the custom Payara OpenIdAuthenticationMechanism as mechanism.

OAuth2

Use the custom Payara OAuth2AuthenticationMechanism as mechanism.

<any Fully Qualified Class Name>

Use the HttpAuthenticationMechanism indicated by the class name.

When no parameter is specified, the standard rules of the Security API are active (only 1 allowed per artifact).