15. July 2016
7 min

Secure JavaEE Web Application on Payara Micro

Information is very valuable these days and access to it should be limited. That is why application security is a very important and integral part to many applications. And, in this post, I will show you how you can get a secure web application up and running with minimal configuration overhead.

How, you ask? Payara Micro runs JavaEE7 applications on an embedded Payara Server and JavaEE offers security mechanisms out of the box. So when you combine these two, you don’t have to worry about server installation and you don’t need to come up with your own implementation of security or use additional tools.

Step 1 – Configure JavaEE web security

Assuming you have a web application, you need to define the security roles and the security constraints of the application in the web.xml file.

In my example application, there are two paths under the application root context, “authenticated” and “vip“. We will restrict the access to the pages under the path “authenticated” to users with the roles AUTHENTICATED_USERS and VIP_USERS, and to the pages under the path “vip” only to users with the VIP_USERS role.

In addition you will also configure the authentication method and the realm name in the web.xml file.

Step 2 – Create database table and user data

Since I will use a JDBC realm for the authentication in my application, we need to create three database tables. One of them will store the users with their passwords, the second one will store the security roles and the third one the assignments of users to roles.

My SQL script to set up the database tables looks like this:

Once the tables have been created, the roles configured in the application should be saved to the database and, to test the application later, a couple of users should be created and assigned to the roles.

Step 3 – Configure the JDBC realm

On Payara Micro you don’t have access to an admin console, which is why you need to manually add the configuration of the security realm, the JDBC pool and the JDBC resource to a domain.xml file.

You can just take the domain.xml that comes with Payara Micro and add the highlighted lines with the data according to your database configuration.

If you don’t want to create these lines manually and avoid errors which could later be difficult to troubleshoot, you can just start an instance of a full Payara server and create the configurations there. Afterwards you can open the domain.xml of the full server and copy the configuration onto the domain.xml of Payara Micro.

To configure the security realm in the admin console you have to go to “Configurations > server-config > Security > Realms > jdbcRealm” and enter the following data.

JDBC Realm

In addition to the realm you need to configure the JDBC connection pool, which you find under “JDBC > JDBC Connection Pools“. There you need to enter a name for the pool, select the resource type and enter the datasource class name for your specific database. Under “Additional Properties” you have to enter the information needed to connect to your database.

JDBC Connection Pool

JDBC Connection Pool Advanced Properties

Once the connection pool was created, you can create the JDBC resource under “JDBC > JDBC Resources“. Simply enter a JNDI name and select the connection pool you created previously.

JDBC Resource

Step 4 – Include JDBC driver in your application

Unless you use a derby database, the driver for your database will not be available out of the box on Payara Micro, in this case, you need to copy the driver to the WEB-INF/lib folder of your application.

Step 5 – Create a file with system properties

As I worked on this blog post I discovered an issue in Payara Micro, which doesn’t load the login.conf file. The login modules for all security realms are in this file and security will not work when it is not loaded. The good news is that there is a very simple workaround. The better news is that the issue has been addressed and the fix should be available starting on version

As for the workaround, you just need to create a system.properties file, which will be referenced in the next step, with this line in it.

Step 6 – Create an uber jar with Payara Micro

An uber jar is basically an executable jar that contains not only the application but also all of its dependencies (in this case, Payara Micro and a couple of configuration files). This means that the uber jar itself has no dependencies and can be executed wherever Java is installed.

Creating an uber jar with Payara Micro is very simple because their CLI offers a command for that. So just run Payara Micro with the following parameters:

  • –deploy the filename of your compiled war
  • –domainConfig the name of the file you created on step 3
  • –systemProperties the name of the file you created in step 5
  • –outputUberJar how you want your uber jar to be named

The command for my example application looks like this:

When creating the jar this way, the domain configuration and the system properties are packaged in the uber jar and do not need to be referenced again in any other way when running the application.

Tip: you can also include other Payara Micro command line options, such as the port number or deployment directory, and these will be used every time the uber jar is run.

Step 7 – Run the application

To run the application you only need to enter the following on the command line:

My example web application consists of a web page without security and two secure web pages, which can be accessed by users assigned to different security roles.

Anyone can access the index page.

Secure Application on Payara Micro

But when either of the links is clicked, credentials are required.


If the user name and password for a user assigned to the appropriate role is entered, the page can be accessed.


Otherwise, the user will be denied!


So, there it is. A secure web application up and running in just 7 steps.

Comment article


  1. Mark

    Very good tutoriala