Thank you Blesslaw very much for replying. Yes, the next step I was going to do is to decompile the LDAPIdentityStoreImpl, since there seem to be no place to download source code, to find out what methods need to be implemented. Can you explain a little bit on what you meant by "using metadata layer describing IdentityStore 'features'"? You meant I don't need to implement all the methods for all the attributes of user/group/role, and ,they will be defauled to the default store?

Thank you for pointing to the source and the documentation. I successfully used the LDAP implementation as the base and changed some methods to integrate our own implementation. From the documentation, it states LDAP does not support role relationship which I can understand. With my test code to try to associate the user and group with role, I am getting this error "Role management not supported by underlying configuration identity stores". My question is how do I make my implementation to support role relationship? The sentence in the document "..IdentifyObjectRelationship has a IdentityObjectRelationshipName which is simple mapping of RoleType used in API..." seems to be the key. How and where do I create this IdentityObjectRelationshipName to support the Role as the supported relationship type? I did added in the XML under the supported-relationship-types with JBOSS_IDENTITY_ROLE, but that didn't seem to have any impacts.

I thought by implementing the set of xxxRelationshipName/Properties methods, the role manager would be supported. However, it did not work. By looking at the source where the stacktrace throwing error and found that it looks like it's getSupportedFeatures() in the identity store repository. So, how do I set isNamedRelationshipSupported() to true?

Finally got a better understanding by looking at the method calls of the HibernateIdentityStoreImpl. We also have login module bridge to use our company's authentication. So, we successfully login and got the session token with the user name. In the IdentityStoreImpl.bootstrap(), I tried to just create IdentityObject for with the login user name as USRE type IdentityObject, and "users" as platform type IdentityObject. Then createRelationship for the login user name and the "users" IdentityObjects for both JBOSS_IDENTITY_ROLE and MEMBERSHIP relationships. Also, we added <security-constraint> in web.xml for /private/* to use the <auth-constraint><role-name>users</role-name></auth-constriaint>.

So, if I have /private in the URL, I got challenged with my company's authentication. Then after I login, I see the user name is used to create an IdentityObject, and, relationships are also created with the "users" object. Still, I am getting this "HTTP 403 access to this resource has been denied " error. What else is missing? Is there any other role or group memberships need to be created for the logged in user? Thanks.

Further more, I put some debug statements in the Hibernate implementation and found that with the Hibernate implementation, the resolveRelationships() is called with the login name to get the relationships for this user. However, with our login module and the IdentityStore implementation, the resolvedRelationships() is not called after login. This would explain why I am getting the access denied error. Any idea why the method is not called to retrieve the membership information for my login user? In our login module, we created the exoplatform Identity with the user name, and then set it to shareState.