We are using Payara 5.2022.1 in a project where a very specific custom auth solution MUST be used. That solution sends a (non-JWT) Bearer token in the Authorization header, and a JAX-RS filter picks that token and creates a SecurityContext. So far, so good. The problem is that as soon as @RolesAllowed is found in a JAX-RS resource, Payara always returns 401, as apparently it does not check if the token is a JWT token, but simply fails to parse it. While we think this is a bug (if the parsing fails, the request must not get answered by 401 but simply forwarded to our own JAX-RS @ PreMatching @ Priority(AUTHENTICATION) filter), we worked around by using a @CustomRolesAllowed instead, which works fine for now. But what we actually like to instead is: Can we set a Payara specific option that simply switch off JWT support completely (not the support for @ RolesAllowed for JAX-RS, but just the parsing of JWT)?