PAM Identity Store

Since Payara Server 5.194

The Payara API provides a @PamIdentityStoreDefinition annotation that creates an identity store to authenticate the users using the pam realm.


The PAM realm identity store is defined through the @PamIdentityStoreDefinition annotation. Specifying this in a valid place as defined by the Jakarta EE Security API will create the identity store. Often this may mean that any class is a valid position. If a PAM realm is not found with the defined name then a new PAM realm is registered on the server using the create-auth-realm asadmin command, otherwise the existing PAM realm instance is used to authenticate the users.


The following code sample illustrates how to configure PAM realm identity store:

@DeclareRoles({ "a", "b"})
@BasicAuthenticationMechanismDefinition(realmName = "pam-realm")
public class MyRestApp extends Application {


The PAM realm identity store can be configured with both @PamIdentityStoreDefinition annotation attributes and MicroProfile Config properties. The annotation and MicroProfile properties have several configuration options.

They are detailed as shown below.

Option MP Config property Description Default Required


The name of PAM realm.



The users are assigned membership to these groups for the purposes of authorization decisions.


The JAAS Context of Pam realm.


Note : If both an annotation attribute and a MicroProfile Config property are defined for the same option then the MicroProfile Config property value always takes precedence over the @PamIdentityStoreDefinition annotation value.