The current implementation is using a Supplier<List<HttpServerAuthenticationMechanism>> when get is called on this Supplier a ServerAuthenticationContext needs to be created, then all possible mechanisms need to be queried before the list of mechanisms is created.

The HTTP Authenticator is created per request. API may be fine but we may need an easier way to provide all the mechanisms.

Will look at that one later once hot deployment is also considered fully.