Introduction to IdentityStore and Authentication Mechanism

Learn more about the details of IdentityStore, AuthenticationMechanism, SecurityContext, and Logout.


The official definition of the IdentityStore is as follows:

IdentityStore is a mechanism for validating a caller’s credentials and accessing a caller’s identity attributes. It can be used as an authentication mechanism.

The IdentityStore is responsible for determining whether user credentials are correct. We declared a custom class that implements the interface as a CDI bean in the lesson "Callback Handlers." Since the IdentityStore is also responsible for retrieving the user’s attributes, such as the groups to which they are assigned, we have two main methods in the interface.

  • CredentialValidationResult validate(Credential credential);

  • Set<String> getCallerGroups(CredentialValidationResult validationResult);

By default, both actions are performed by an IdentityStore, validating the credentials and retrieving the groups. In a user implementation of the interface. We can specify which action is performed by returning the desired action by the method validationTypes() within a user implementation of the interface.

The specification defines that multiple stores can be defined and sorted based on the return value of the priority() method. A default IdentityStoreHandler performs the following actions:

  • Loop over all known IdentityStore until a store returns as a result INVALID or VALID.

  • A NOT_VALIDATED result means the store can’t handle the credentials type, and other stores get the chance to determine if the credentials are valid.

You can customize the IdentityStoreHandler by defining an alternative CDI bean that implements the interface. This way, you can implement any logic you need.

Note: The IdentityStore defined for the OpenID Connect integration doesn’t do anything. It assumes that authentication is successful when a valid authorization code is received and the store accepts the credentials.

Authentication mechanism

We started by explaining that IdentityStore was related to the naming issue, but the AuthenticationMechanism of the Security API actually comes first. This component is responsible for retrieving the user credentials from the request.

HttpAuthenticationMechanism is a mechanism for obtaining a caller’s credentials, using the HTTP protocol where necessary.

In the case of Basic authentication, this might be the retrieval of a username and password from the header. When using form authentication, the parameters containing username and password may be retrieved from the body of the request. OpenID Connect support does the hard work of retrieving and validating the tokens.

We also used a custom mechanism in the example where we looked at the URL parameters of the call.

The authentication mechanism can also be annotated by @RememberMe or @AutoApplySession. In these cases, a cookie or usage of HTTP session is automatically applied to preserve the authentication information in case of a stateful scenario.

In contrast to the IdentityStore, you can only define one mechanism for each application. This might be improved in a future version of the Security API specification.


Get hands-on with 1200+ tech skills courses.