The concept of identity stores was also added with the Security API. Identity stores provide the authentication and authorization information of users in lightweight, portable ways. They offer a unified way to access this information.

The IdentityStore type validates a caller's credentials and accesses its information. Similarly to HTTP authentication mechanisms, the application containers are required to provide identity stores for LDAP and database access.

The following shows an example using the container-provided security functionality:

import javax.security.enterprise.authentication.mechanism.http.*;
import javax.security.enterprise.identitystore.DatabaseIdentityStoreDefinition;
import javax.security.enterprise.identitystore.IdentityStore;

@BasicAuthenticationMechanismDefinition(realmName = "car-realm")
@DatabaseIdentityStoreDefinition(
        dataSourceLookup = "java:comp/UserDS",
        callerQuery = "select password from users where name = ?",
        useFor = IdentityStore.ValidationType.VALIDATE
)
public class SecurityConfig {
    // nothing to configure
}

Application developers only need to provide this annotated class. This approach provides simple and straightforward security definitions for test purposes.

Usual enterprise projects arguably require more custom approaches. Organizations usually have custom ways of authentication and authorization that need to be integrated.