To authenticate a secured resource, such as a Servlet or JAX-RS RESTful web service, against credentials stored in a relational database, we need to annotate an application-scoped CDI bean with the @DatabaseIdentityStoreDefinition annotation, as illustrated in the following example.

package net.ensode.javaee8book.httpauthdatabaseidentitystore.security; 
 
import javax.enterprise.context.ApplicationScoped; 
import javax.security.enterprise.identitystore.DatabaseIdentityStoreDefinition; 
 
@DatabaseIdentityStoreDefinition( 
        dataSourceLookup = "jdbc/userAuth", 
        callerQuery = "select password from users where name = ?", 
        groupsQuery = "select g.GROUP_NAME from " 
                + "USER_GROUPS ug, users u, " 
                + "GROUPS g where u.USERNAME=? " 
                + "and ug.USER_ID = u.user_id " 
                + "and g.GROUP_ID= ug.GROUP_ID" 
) 
@ApplicationScoped 
public class ApplicationConfig { 
 
} 

In our example, the JNDI name for the JDBC connection for the relational database containing user credentials is jdbc/userAuth, which is the value we provided to the dataSourceLookup attribute of the @DatabaseIdentityStoreDefinition annotation.

The callerQuery parameter of @DatabaseIdentityStoreDefinition is used to specify the SQL query used to retrieve the username and password for the user we are authenticating. The values retrieved from the database must match the values provided by the user (via an authentication mechanism, covered later in this chapter).

Most secured applications have different types of users separated into roles, for example, an application could have "regular" users plus administrators. Administrators would be allowed to perform certain actions that regular users would not. For example, administrators could be able to reset user passwords and add or remove users from the system. The groupsQuery attribute of @DatabaseIdentityStoreDefinition allows us to retrieve all roles for the user.