An identity store is a database or directory (store) that contains identity information
about a collection of users that includes an application’s callers. An identity store
holds callers names, group membership information, and information sufficient
to allow it to validate a caller’s credentials. An identity store may also contain other
information, such as globally unique caller identifiers or other caller attributes.
As specified in the Java EE Security API, the
provides an abstraction of an identity store. Implementations of the
interface interact with identity stores to authenticate users
and to retrieve caller group information. Most often, an implementation of the
interface interacts with an external identity store, such as an LDAP server,
but it can also manage user account data itself.
IdentityStore interface is intended
primarily for use by the
HttpAuthenticationMechanism (also specified in the
Java EE Security API), but can be used by other implementations such as a JASPIC
ServerAuthModule or a container’s built-in authentication mechanisms. Using the
IdentityStore implementations, both built-in and custom, provides a significant
advantage over the BASIC and FORM mechanisms
defined by Servlet 4.0 (and previous versions) and configured declaratively
because it allows an application to control the identity stores it will
authenticate against in a standard, portable way.
An application can provide its own
or use the built in LDAP or Database identity store implementations of the interface.
For details about the
IdentityStore interfaces and examples of their usage, see
Overview of the Identity Store Interfaces.