Configuring RESTEasy Applications

Since WildFly 20, you can configure RESTEasy through the MicroProfile Config project ( The use of MicroProfile Config offers to REST developers a plenty of flexibility in controlling runtime configuration.

If you want to read more details about MicroProfile Config API, we recommend checking this tutorial: Configuring Microservices with MicroProfile Configuration

In a nutshell, the MicroProfile Config, defines a ConfigSource as Map<String, String> of property names to values. In turn, the ConfigSource represents a sequence of ConfigSources, ordered by priority. The priority of a ConfigSource is given by an ordinal (represented by an int), with a higher value indicating a higher priority. Here is the ordered list (Top-Down Ranking) ConfigSources:

  • a ConfigSource based on System.getProperties() (ordinal = 400).
  • a ConfigSource based on System.getenv() (ordinal = 300)
  • a ConfigSource for each META-INF/ file on the ClassPath, separately configurable via a config_ordinal property inside each file (default ordinal = 100)

Using MicroProfile Config with REST Easy

Before WildFly 20, configuration properties were added at application level through the standard web.xml descriptor. For example, to set the property:


Now, you can define this property with any of the ConfigSources, for example through the META-INF/ file:

You can check an example application which uses RESTEasy Role Base Security here: Securing JAX-RS Services in WildFly applications

The full list of Properties you can set for your REST Easy Application is listed in this Table:

Configuration Param Default Description
resteasy.servlet.mapping.prefix NA If the url-pattern for the RESTEasy servlet-mapping is not /*
resteasy.providers NA A comma delimited list of fully qualified @Provider class names you want to register
resteasy.use.builtin.providers true Whether or not to register default, built-in @Provider classes
resteasy.resources NA A comma delimited list of fully qualified JAX-RS resource class names you want to register
resteasy.jndi.resources NA A comma delimited list of JNDI names which reference objects you want to register as JAX-RS resources NA Fully qualified name of Application class to bootstrap in a spec portable way NA Replaces the need for an Accept header by mapping file name extensions (like .xml or .txt) to a media type. Used when the client is unable to use an Accept header to choose a representation (i.e. a browser).
resteasy.language.mappings NA Replaces the need for an Accept-Language header by mapping file name extensions (like .en or .fr) to a language. Used when the client is unable to use an Accept-Language header to choose a language (i.e. a browser). NA Names a query parameter that can be set to an acceptable media type, enabling content negotiation without an Accept header. false Enables role based security.
resteasy.document.expand.entity.references false Expand external entities in org.w3c.dom.Document documents and JAXB object representations true Impose security constraints in processing org.w3c.dom.Document documents and JAXB object representations true Prohibit DTDs in org.w3c.dom.Document documents and JAXB object representations
resteasy.wider.request.matching false Turns off the JAX-RS spec defined class-level expression filtering and instead tries to match version every method’s full path.
resteasy.use.container.form.params false Obtain form parameters by using HttpServletRequest.getParameterMap(). Use this switch if you are calling this method within a servlet filter or eating the input stream within the filter.
resteasy.rfc7232preconditions false Enables RFC7232 compliant HTTP preconditions handling.
resteasy.gzip.max.input 10000000 Imposes maximum size on decompressed gzipped . 100 The number of times a SecureRandom can be used before reseeding.
resteasy.buffer.exception.entity true Upon receiving an exception, the client side buffers any response entity before closing the connection.
resteasy.add.charset true If a resource method returns a text/* or application/xml* media type without an explicit charset, RESTEasy will add “charset=UTF-8” to the returned Content-Type header. Note that the charset defaults to UTF-8 in this case, independent of the setting of this parameter.
resteasy.disable.html.sanitizer false Normally, a response with media type “text/html” and a status of 400 will be processed so that the characters “/”, “<“, “>”, “&”, “”” (double quote), and “‘” (single quote) are escaped to prevent an XSS attack. If this parameter is set to “true”, escaping will not occur.
resteasy.patchfilter.disabled false Turns off the default patch filter to handle JSON patch and JSON Merge Patch request. A customerized patch method filter can be provided to serve the JSON patch and JSON merge patch request instead.