Skip to content

How to activate my own Jakarta HttpAuthenticationMechanism implementation in Jakarta EE app

I am creating an simple Jakarta EE 9 app. Because of my own reason, I have to implement my own HttpAuthenticationMechanism (I am not using built-in HttpAuthenticationMechanism CDI beans).

I am having an issue with activating my own HttpAuthenticationMechanism. In my login servlet, I try to call SecurityContext.authenticate(request, response, AuthenticationParameters) to process a login manually, but my own HttpAuthenticationMechanism never get called. It was supposed to be called.

My own HttpAuthenticationMechanism & its annotations


public class MyOwnHttpAuthenticationMechanism implements HttpAuthenticationMechanism {

    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext)
            throws AuthenticationException {
        // Never called

As you see, I already added @Alternative and @Priority to activate the bean.

My environment:

  • Jakarta EE 9.1
  • Wildfly 26 preview for Jakarta EE 9
  • I also changed Integrated JASPI from ON to OFF on the Wildfly.
  • my jboss-web.xml: < security-domain>jaspitest< /security-domain>
  • Java 11

Any helps? Thank you!



I found out what was wrong. There was NO security domain ‘jaspitest’ in Wildfly 26. This security domain existed in Wildfly before by default, but no longer exists. That was the reason why my own HttpAuthenticationMechanism did not get invoked.

Solution: Use Security Domain ‘other’ instead, OR remove the security-domain tag from jboss-web.xml, OR your own security domain

5 People found this is helpful