Identity Store is basically a data store that keeps information such as usernames, group memberships, and credentials. The Java Security API provides IdentityStore abstraction in the form of IdentityStore. IdentityStore can work well with HTTPAuthenticationMechanism, but you are free to use any other authentication mechanism. The IdentityStoreHandler API provided with IdentityStore manages instances of IdenityStore.  The Java Security API comes with a default implementation of IdentityStoreHandler. The default implementation can authenticate against multiple instances of IdentityStore and is sufficient in most cases, though one can implement a custom IdentityStoreHandler. IdentityStoreHandler would iterate over stores and return CredentialValidationResult, which in its simplest form would return a status value as one of three states: NOT_VALIDATED, INVALID, or VALID. If a VALID state is returned by IdentityStore, no more stores are checked and the result is returned. If INVALID is returned by IdentityStore, further stores are checked. If all the states are INVALID, it is considered the final state, otherwise NOT_VALIDATED is returned.