Security API ignores roles provided by custom security extension

In my EAR I have WAR with the following custom security extension:

public class CustomAuth implements HttpAuthenticationMechanism {

    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMsgContext)
            throws AuthenticationException {
        Principal principal = new Principal() {
            public String getName() {
                return "P";

        Set<String> roles = Set.of("R");

        return httpMsgContext.notifyContainerAboutLogin(principal, roles);


Then I am running a BASIC Auth’ed request against this resource:


    public SecurityContext scx;

    @Path("test") @GET @PermitAll
    public String test() {
        System.out.println(this.scx.getCallerPrincipal().getName() + " " + this.scx.isUserInRole("R"));

The result is that the string P false is found in server.log, while certainly it should be P true.

Apparently Payara ignores the roles provided by the custom security extension!

Hi guys, any ideas on this?