We might want to use the LdapIdentityStore provider instead of database, as this will be a more common case.

Agree, may be I will try to include LdapIdentityStore one as a seperate example and retain this one as well.

I think "groups" is more accurate than "roles" in this context.

Done

Done.

We should not use PlaintextPasswordHash -- we don't want to even suggest that someone could do this. If we put it out there as an example, it will inevitably be included in at least some applications, and it's a huge security hole. The issue is moot if we use LdapIdentityStore. If we stay with this, we should make at least some minimal attempt to do hashing, but a "simple" hash might also be the wrong thing to do, because it may also be insecure, but will fool people into thinking they're doing secure password hashing. Password hashing is hard to get right on your own, which is the entire reason for having the Pbkdf2PasswordHash -- better to use that, unless we're going to put the effort into implementing some other secure password hash algorithm.

I will replace PlaintextPasswordHash with Pbkdf2PasswordHash. I will try to include LdapIdentityStore as a separate example.

Database example has been modified to use Pbkdf2PasswordHash. If time permits I will try to add an example with LdapIdentityStore.

These parameters are meaningless, and therefore may be more likely to confuse than educate. If you want to have parameters, you should supply a PasswordHash impl that will actually use them. If you write your own, you should include an initialize() method that processes any parameters that you show.

I will modify accordingly.

Pbkdf2PasswordHash is being used, these parameters have been replace now:

public String[] getDyna() {
         return new String[]{"Pbkdf2PasswordHash.Algorithm=PBKDF2WithHmacSHA512", "Pbkdf2PasswordHash.SaltSizeBytes=64"};
     }

Perhaps use result.getCallerPrincipal().getName(), which will demonstrate that the caller name can be passed as a string. I hope that passing CallerPrincipal as an argument does not become a pattern, because CallerPrincipal, ultimately, is not the platform caller principal in GF, and likely won't be on other platforms either. It is also not an "interesting" application caller principal, because it adds no value for an application. It carries nothing but a name. So it ends up as an extra principal carried around by the subject, but adding no value, and is passed here only because it happens to be returned by IdentityStoreHandler.

This is an area where I think the spec could have used more work to clarify the purpose and use of CallerPrincipal; unfortunately we ran out of time.

Done.

Switched to BasicAuthenticationMechanism, got addressed as part of that.

Maybe use the BasicAuthenticationMechanism instead, for this example? It will invoke any configured identity store.

Agree. Will modify accordingly.

Similar comment to above -- use result.getCallerPrincipal().getName()? It's probably reasonable to just use result.getCallerPrincipal() sometimes; we should show both methods in the various examples.

Right. I will keep that in mind while adding examples in glassfish-samples. for tutorial-examples, I will change it to getName().

As you suggested, I will be using BasicAuthenticationMechanism for this example, hence this too will get addressed as part of that.

Version 1.0

Will update it to 1.0.

Use BasicAuthenticationMechanism instead, for this example?

Yes, I will change it accordingly.

Maybe add a comment that this is for illustrative purposes only, and that a real IdentityStore should include secure storage and credential validation capabilities? This example is so trivial that it's obviously not usable, but we don't want to encourage the use of hard-coded/in-memory stores, or user databases trivially provided as unencrypted files, etc.

Right. I will add the comment as suggested.

Change to: This example demonstrates how you can configure a "DatabaseIdentityStore" to point to a backend database and then use it as an "IdentityStore."

Done.

In this example, "the" following users are defined, along with the roles they are in. (add the and comma)

Done.

You should not use real names here. It is best to use something more generic like Joe, Sam, Tom, Sue.

Done.

...the authentication mechanism bundled with the application comes into effect and authentication is performed against the ...

Done.

Post authentication, the application also verifies the roles the caller is in and sends the details as part of the response.

Done.

In GlassFish 5.0, role to group mapping is enabled by default. Therefore, you do not need to bundle web.xml with the application to provide mapping between roles and groups.

Done.

...the roles the user is in get returned as part of the response.

This class is going to be replaced completely with BasicAuthenticationMechanism as noted above.

Note that the container needs to be made aware of the supported roles, which is achieved with the help of the '@DeclareRoles' annotation as shown above.

Done.

In this example, we are using the credentials of user 'reza' to make a request and to validate the response according to the credentials specified in 'TestIdentityStore' above.
or
In this example, we are using the credentials of user 'reza' to make a request and to determine if the response is consistent with the credentials specified in 'TestIdentityStore' above.

Not sure which one is technically correct.

The former one, have replaced accordingly.

After the application is deployed, we can make a request to the application using the URL shown below:"

Done.

Done.

Done.

Done.

Done.

Done.

The former one, have replaced accordingly.

Done.

Will update it to 1.0.

Yes, I will change it accordingly.

Right. I will add the comment as suggested.