Once we have IdentityStore implementation, we can use it in our application code for security. In Java EE 8, there is an API that can achieve this element of security—HttpAuthenticationMechanism. This can be used to secure servlets, and equally, to secure any frameworks based on them. HttpAuthenticationMechanism is used to validate the user identity information. HttpAuthenticationMechanism, together with the IdentityStore, enables the application to control the identity stores that it uses for authentication in a portable manner.

The HttpAuthenticationMechanism validates the request and checks the authentication status. It then uses the identity store to validate the identity information that it has received from the incoming request. After this, it passes the request information to the identity store. Based on the validation result, it either grants access or denies it. The following diagram depicts this:

HttpAuthenticationMechanism can be configured to use multiple identity stores, as shown in the preceding diagram, and can use IdentityStoreHandler to manage these identity stores. IdentityStoreHandler groups the IdentityStore implementations together. The handler can be injected using CDI into an HttpAuthenticationMechanism implementation.

HttpAuthenticationMechanism is an interface. There are default implementations available for this.