In my EAR I have WAR with the following custom security extension:
@ApplicationScoped
public class CustomAuth implements HttpAuthenticationMechanism {
@Override
public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMsgContext)
throws AuthenticationException {
Principal principal = new Principal() {
@Override
public String getName() {
return "P";
}
};
Set<String> roles = Set.of("R");
return httpMsgContext.notifyContainerAboutLogin(principal, roles);
}
}
Then I am running a BASIC Auth’ed request against this resource:
...
@Context
public SecurityContext scx;
@Path("test") @GET @PermitAll
public String test() {
System.out.println(this.scx.getCallerPrincipal().getName() + " " + this.scx.isUserInRole("R"));
}
The result is that the string P false
is found in server.log, while certainly it should be P true
.
Apparently Payara ignores the roles provided by the custom security extension!