First of all, the Security API includes HttpAuthenticationMechanism, which provides the features of the JASPIC standard with much less development effort needed. It's specified to be used in a servlet context.

Application developers are only required to define a custom HttpAuthenticationModule and to configure the authentication in the web.xml deployment descriptor. We will have a look at a custom security implementation later in this chapter.

The Java EE container already ships with predefined HTTP authentication mechanisms for basic, default, and custom form authentication. The developers can use this predefined functionality with minimal effort. Before we see an example, let's see how to store the user information.