Core Documentation

JACC stands for Java Authentication Contract for Containers. It’s defined in the JSR 115 specification and all Java EE complaint servers are mandated to provide a JACC Policy by default.

How to install a custom JACC provider per Server (Global)

Having coded a JACC provider, the first thing to do it is to make these classes available for the server. For that purpose, you need to put the implementation JAR, with all its dependencies, under the {PAYARA_HOME}/lib folder.

The next thing to do is to tell Payara you want to use the custom JACC provider. To do this, you have to execute the following administration command:

--policyProvider=com.example.CustomPolicy --target=server-config custom-provider set

This will result in the following configuration element added to the domain.xml file:

<security-service jacc="custom-provider">
    <jacc-provider policy-provider="com.example.CustomPolicy" name="custom-provider"
    <!-- More providers can be defined -->

As you can see on the XML excerpt, more JACC providers can be defined (by default, the simple and default providers are already defined), but only one will be used at runtime, specified by the jacc attribute on the security-service element.

How to install a custom JACC provider per Application (Local)

Since Payara Server and 5.182

With a custom JACC provide per server, applications deployed to a single server can’t have their own custom authorization contracts. In this case, having a custom JACC Provider per application makes more sense by using the fish.payara.jacc.JaccConfigurationFactory API.

To access this API, you will need to add a dependency to the Payara Public API first.

In the example below, when an application is deployed, a custom JACC provider is registered programmatically using the JaccConfigurationFactory(consisting of a JACC PolicyConfigurationFactory and Policy implementation objects) in the contextInitialized method of ServletContextListener.

public class JaccInstaller implements ServletContextListener {

    public void contextInitialized(ServletContextEvent sce) {

                        new CustomPolicyConfigurationFactory(),
                        new CustomPolicy()


    private String getAppContextId(ServletContext servletContext) {
        return servletContext.getVirtualServerName() + " " + servletContext.getContextPath();