Within the Security API specification, an HttpAuthenticationMechanism
can be defined to retrieve the user credentials from the HTTP Request. These credentials are then used by any configured identity stores to validate the user.
However, a restriction of the Security API specification is that only one HttpAuthenticationMechanism
can be defined per application. This restriction is also in place for EAR applications file where it’s possible to have multiple web modules.
Payara Server allows to circumvent this restriction so that multiple authentication mechanisms are used in an EAR application that hosts more than one Web module. To this effect, each web module must configure its own authentication mechanism separately.
In order to use this feature, there must not be any custom HttpAuthenticationMechanism implementations bundled in any of the modules hosted in the EAR artifact. If this is the case, the feature will not work as intended.
|
This behaviour is specific to the Payara Platform and not compatible with the Jakarta Security specification. |
How to Configure
In order to configure a specific HttpAuthenticationMechanism
for a Web application, define the fish.payara.security.mechanism
parameter in the web.xml deployment descriptor like in the following case:
<context-param>
<param-name>fish.payara.security.mechanism</param-name>
<param-value>JWT</param-value>
</context-param>
The following mechanisms can be used:
Value | Description |
---|---|
Basic |
Use BasicAuthenticationMechanism as mechanism. |
Form |
Use FormAuthenticationMechanism as mechanism. |
CustomForm |
Use CustomFormAuthenticationMechanism as mechanism. |
JWT |
Use the custom Payara JWTAuthenticationMechanism as mechanism. |
Certificate |
Use the custom Payara CertificateAuthenticationMechanism as mechanism. |
OIDC |
Use the custom Payara OpenIdAuthenticationMechanism as mechanism. |
OAuth2 |
Use the custom Payara OAuth2AuthenticationMechanism as mechanism. |
<any Fully Qualified Class Name> |
Use the |
When no parameter is specified, the standard rules of the Security API are active (only 1 allowed per artifact). |