diff --git a/tck/app-custom-authentication-mechanism-handler2/pom.xml b/tck/app-custom-authentication-mechanism-handler2/pom.xml
new file mode 100644
index 0000000..185f8b8
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Contributors to the Eclipse Foundation.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>org.eclipse.ee4j.security.tck</groupId>
+		<artifactId>jakarta-security-tck</artifactId>
+		<version>4.0.0-SNAPSHOT</version>
+	</parent>
+
+	<artifactId>app-custom-authentication-mechanism-handler2</artifactId>
+	<packaging>war</packaging>
+
+	<properties>
+        <failOnMissingWebXml>false</failOnMissingWebXml>
+    </properties>
+
+	<dependencies>
+        <dependency>
+            <groupId>org.eclipse.ee4j.security.tck</groupId>
+            <artifactId>common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+
+	<build>
+        <finalName>app-custom-authentication-mechanism-handler</finalName>
+	</build>
+</project>
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/BasicAuthenticationMechanism2.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/BasicAuthenticationMechanism2.java
new file mode 100644
index 0000000..e86307d
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/BasicAuthenticationMechanism2.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.security.test;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import jakarta.enterprise.util.AnnotationLiteral;
+import jakarta.inject.Qualifier;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+@Qualifier
+@Retention(RUNTIME)
+@Target({ FIELD, METHOD, TYPE, PARAMETER })
+public @interface BasicAuthenticationMechanism2 {
+
+    /**
+     * Supports inline instantiation of the {@link BasicAuthenticationMechanism2} qualifier.
+     *
+     * @since 4.0
+     */
+    public static final class Literal extends AnnotationLiteral<BasicAuthenticationMechanism2> implements BasicAuthenticationMechanism2 {
+        private static final long serialVersionUID = 1L;
+
+        /**
+         * Instance of the {@link BasicAuthenticationMechanism2} qualifier.
+         */
+        public static final Literal INSTANCE = new Literal();
+    }
+
+}
\ No newline at end of file
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/BasicAuthenticationMechanism3.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/BasicAuthenticationMechanism3.java
new file mode 100644
index 0000000..772a8bc
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/BasicAuthenticationMechanism3.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+package ee.jakarta.tck.security.test;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import jakarta.enterprise.util.AnnotationLiteral;
+import jakarta.inject.Qualifier;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+@Qualifier
+@Retention(RUNTIME)
+@Target({ FIELD, METHOD, TYPE, PARAMETER })
+public @interface BasicAuthenticationMechanism3 {
+
+    /**
+     * Supports inline instantiation of the {@link BasicAuthenticationMechanism3} qualifier.
+     *
+     * @since 4.0
+     */
+    public static final class Literal extends AnnotationLiteral<BasicAuthenticationMechanism3> implements BasicAuthenticationMechanism3 {
+        private static final long serialVersionUID = 1L;
+
+        /**
+         * Instance of the {@link BasicAuthenticationMechanism3} qualifier.
+         */
+        public static final Literal INSTANCE = new Literal();
+    }
+
+}
\ No newline at end of file
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/CustomAuthenticationMechanismHandler.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/CustomAuthenticationMechanismHandler.java
new file mode 100644
index 0000000..9fea1a0
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/CustomAuthenticationMechanismHandler.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+package ee.jakarta.tck.security.test;
+
+import static jakarta.interceptor.Interceptor.Priority.APPLICATION;
+
+import jakarta.annotation.Priority;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.inject.Alternative;
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.AuthenticationException;
+import jakarta.security.enterprise.AuthenticationStatus;
+import jakarta.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition;
+import jakarta.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition.BasicAuthenticationMechanism;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanismHandler;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+/**
+ * This HttpAuthenticationMechanismHandler overrides the default provided one and delegates
+ * requests to three individual authentication mechanisms depending on the request path.
+ *
+ * <p>
+ * This tests asserts the ability to define multiple beans using
+ * a {@code ...Definition} annotation. It specifically asserts that
+ * those can come from a repeatable annotation ("realm2" and "realm3")
+ * and that those can be combined with one defined elsewhere ("realm1").
+ *
+ */
+@BasicAuthenticationMechanismDefinition(
+    realmName="realm2",
+    qualifiers = { BasicAuthenticationMechanism2.class}
+)
+
+@BasicAuthenticationMechanismDefinition(
+    realmName="realm3",
+    qualifiers = { BasicAuthenticationMechanism3.class}
+)
+
+@Alternative
+@Priority(APPLICATION)
+@ApplicationScoped
+public class CustomAuthenticationMechanismHandler implements HttpAuthenticationMechanismHandler {
+
+    @Inject
+    @BasicAuthenticationMechanism
+    HttpAuthenticationMechanism authenticationMechanism1;
+
+    @Inject
+    @BasicAuthenticationMechanism2
+    HttpAuthenticationMechanism authenticationMechanism2;
+
+    @Inject
+    @BasicAuthenticationMechanism3
+    HttpAuthenticationMechanism authenticationMechanism3;
+
+    @Override
+    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response,
+            HttpMessageContext httpMessageContext) throws AuthenticationException {
+
+        if (getRequestRelativeURI(request).startsWith("/protectedServlet1")) {
+            return authenticationMechanism1.validateRequest(request, response, httpMessageContext);
+        }
+
+        if (getRequestRelativeURI(request).startsWith("/protectedServlet2")) {
+            return authenticationMechanism2.validateRequest(request, response, httpMessageContext);
+        }
+
+        return authenticationMechanism3.validateRequest(request, response, httpMessageContext);
+    }
+
+    public static String getRequestRelativeURI(HttpServletRequest request) {
+        return request.getRequestURI().substring(request.getContextPath().length());
+    }
+
+}
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet1.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet1.java
new file mode 100644
index 0000000..bbabbb9
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet1.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.security.test;
+
+import jakarta.annotation.security.DeclareRoles;
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.SecurityContext;
+import jakarta.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.HttpConstraint;
+import jakarta.servlet.annotation.ServletSecurity;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Test Servlet that prints out the name of the authenticated caller and whether
+ * this caller is in any of the roles {foo, bar, kaz}
+ *
+ */
+@BasicAuthenticationMechanismDefinition(
+    realmName="realm1"
+)
+@WebServlet("/protectedServlet1")
+@ServletSecurity(@HttpConstraint(rolesAllowed = "foo"))
+@DeclareRoles({"bar", "kaz"})
+public class ProtectedServlet1 extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Inject
+    private SecurityContext securityContext;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        response.getWriter().write("This is a servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        response.getWriter().write("web user has role \"foo\": " + request.isUserInRole("foo") + "\n");
+        response.getWriter().write("web user has role \"bar\": " + request.isUserInRole("bar") + "\n");
+        response.getWriter().write("web user has role \"kaz\": " + request.isUserInRole("kaz") + "\n");
+
+        String contextName = null;
+        if (securityContext.getCallerPrincipal() != null) {
+            contextName = securityContext.getCallerPrincipal().getName();
+        }
+
+        response.getWriter().write("context username: " + contextName + "\n");
+
+        response.getWriter().write("context user has role \"foo\": " + securityContext.isCallerInRole("foo") + "\n");
+        response.getWriter().write("context user has role \"bar\": " + securityContext.isCallerInRole("bar") + "\n");
+        response.getWriter().write("context user has role \"kaz\": " + securityContext.isCallerInRole("kaz") + "\n");
+
+        response.getWriter().write("has access " + securityContext.hasAccessToWebResource("/servlets"));
+
+    }
+
+}
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet2.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet2.java
new file mode 100644
index 0000000..c6734b3
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet2.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.security.test;
+
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.SecurityContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.HttpConstraint;
+import jakarta.servlet.annotation.ServletSecurity;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Test Servlet that prints out the name of the authenticated caller and whether
+ * this caller is in any of the roles {foo, bar, kaz}
+ *
+ */
+@WebServlet("/protectedServlet2")
+@ServletSecurity(@HttpConstraint(rolesAllowed = "foo"))
+public class ProtectedServlet2 extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Inject
+    private SecurityContext securityContext;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        response.getWriter().write("This is a servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        response.getWriter().write("web user has role \"foo\": " + request.isUserInRole("foo") + "\n");
+        response.getWriter().write("web user has role \"bar\": " + request.isUserInRole("bar") + "\n");
+        response.getWriter().write("web user has role \"kaz\": " + request.isUserInRole("kaz") + "\n");
+
+        String contextName = null;
+        if (securityContext.getCallerPrincipal() != null) {
+            contextName = securityContext.getCallerPrincipal().getName();
+        }
+
+        response.getWriter().write("context username: " + contextName + "\n");
+
+        response.getWriter().write("context user has role \"foo\": " + securityContext.isCallerInRole("foo") + "\n");
+        response.getWriter().write("context user has role \"bar\": " + securityContext.isCallerInRole("bar") + "\n");
+        response.getWriter().write("context user has role \"kaz\": " + securityContext.isCallerInRole("kaz") + "\n");
+
+        response.getWriter().write("has access " + securityContext.hasAccessToWebResource("/servlets"));
+
+    }
+
+}
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet3.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet3.java
new file mode 100644
index 0000000..509e1b6
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet3.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.security.test;
+
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.SecurityContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.HttpConstraint;
+import jakarta.servlet.annotation.ServletSecurity;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Test Servlet that prints out the name of the authenticated caller and whether
+ * this caller is in any of the roles {foo, bar, kaz}
+ *
+ */
+@WebServlet("/protectedServlet3")
+@ServletSecurity(@HttpConstraint(rolesAllowed = "foo"))
+public class ProtectedServlet3 extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Inject
+    private SecurityContext securityContext;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        response.getWriter().write("This is a servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        response.getWriter().write("web user has role \"foo\": " + request.isUserInRole("foo") + "\n");
+        response.getWriter().write("web user has role \"bar\": " + request.isUserInRole("bar") + "\n");
+        response.getWriter().write("web user has role \"kaz\": " + request.isUserInRole("kaz") + "\n");
+
+        String contextName = null;
+        if (securityContext.getCallerPrincipal() != null) {
+            contextName = securityContext.getCallerPrincipal().getName();
+        }
+
+        response.getWriter().write("context username: " + contextName + "\n");
+
+        response.getWriter().write("context user has role \"foo\": " + securityContext.isCallerInRole("foo") + "\n");
+        response.getWriter().write("context user has role \"bar\": " + securityContext.isCallerInRole("bar") + "\n");
+        response.getWriter().write("context user has role \"kaz\": " + securityContext.isCallerInRole("kaz") + "\n");
+
+        response.getWriter().write("has access " + securityContext.hasAccessToWebResource("/servlets"));
+
+    }
+
+}
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/TestIdentityStore.java b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/TestIdentityStore.java
new file mode 100644
index 0000000..ca319fc
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/java/ee/jakarta/tck/security/test/TestIdentityStore.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.security.test;
+
+import static java.util.Arrays.asList;
+import static jakarta.security.enterprise.identitystore.CredentialValidationResult.INVALID_RESULT;
+
+import java.util.HashSet;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.security.enterprise.credential.UsernamePasswordCredential;
+import jakarta.security.enterprise.identitystore.CredentialValidationResult;
+import jakarta.security.enterprise.identitystore.IdentityStore;
+
+@ApplicationScoped
+public class TestIdentityStore implements IdentityStore {
+
+    public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
+
+        if (usernamePasswordCredential.compareTo("reza", "secret1")) {
+            return new CredentialValidationResult("reza", new HashSet<>(asList("foo", "bar")));
+        }
+
+        return INVALID_RESULT;
+    }
+
+}
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/main/webapp/WEB-INF/beans.xml b/tck/app-custom-authentication-mechanism-handler2/src/main/webapp/WEB-INF/beans.xml
new file mode 100644
index 0000000..0711884
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/main/webapp/WEB-INF/beans.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="https://jakarta.ee/xml/ns/jakartaee"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       bean-discovery-mode="all" version="4.0">
+</beans>
\ No newline at end of file
diff --git a/tck/app-custom-authentication-mechanism-handler2/src/test/java/ee/jakarta/tck/security/test/AppCustomAuthenticationMechanismHandler2IT.java b/tck/app-custom-authentication-mechanism-handler2/src/test/java/ee/jakarta/tck/security/test/AppCustomAuthenticationMechanismHandler2IT.java
new file mode 100644
index 0000000..3b9b3ec
--- /dev/null
+++ b/tck/app-custom-authentication-mechanism-handler2/src/test/java/ee/jakarta/tck/security/test/AppCustomAuthenticationMechanismHandler2IT.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.security.test;
+
+import static ee.jakarta.tck.security.test.Assert.assertDefaultAuthenticated;
+import static ee.jakarta.tck.security.test.ShrinkWrap.mavenWar;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import com.gargoylesoftware.htmlunit.DefaultCredentialsProvider;
+import com.gargoylesoftware.htmlunit.WebResponse;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanismHandler;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.shrinkwrap.api.Archive;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * This test asserts that an application provided {@link HttpAuthenticationMechanismHandler} can override
+ * the default one by allowing multiple authentication mechanisms to co-exists.
+ *
+ * <p>
+ * In this test, three instances of the build-in Basic HTTP authentication mechanism are used. The custom
+ * handler invokes each one depending on the request URI that was used.
+ */
+@RunWith(Arquillian.class)
+public class AppCustomAuthenticationMechanismHandler2IT extends ArquillianBase {
+
+    @Deployment(testable = false)
+    public static Archive<?> createDeployment() {
+        return mavenWar();
+    }
+
+    /**
+     * Test that for path {@code /protectedServlet1} in effect {@link TestAuthenticationMechanism1} is used.
+     */
+    @Test
+    public void testAuthenticated1() {
+        WebResponse response = responseFromServer("/protectedServlet1");
+
+        assertEquals(401, response.getStatusCode());
+
+        assertTrue(
+            "Response did not contain the \"WWW-Authenticate\" header, but should have",
+            response.getResponseHeaderValue("WWW-Authenticate") != null);
+
+
+        // Most important part of the test: check that we have the correct authentication mechanism instance used
+
+        assertTrue(
+            "Response did not contain \"realm1\" in the \"WWW-Authenticate\" header value, but should have",
+            response.getResponseHeaderValue("WWW-Authenticate").contains("realm1"));
+
+
+        // For completion, check that authentication mechanism also actually authenticates
+
+        DefaultCredentialsProvider credentialsProvider = new DefaultCredentialsProvider();
+        credentialsProvider.addCredentials("reza", "secret1");
+
+        getWebClient().setCredentialsProvider(credentialsProvider);
+
+        assertDefaultAuthenticated(
+            readFromServer("/protectedServlet1"));
+    }
+
+    /**
+     * Test that for path {@code /protectedServlet2} in effect {@link TestAuthenticationMechanism2} is used.
+     */
+    @Test
+    public void testAuthenticated2() {
+        WebResponse response = responseFromServer("/protectedServlet2");
+
+        assertEquals(401, response.getStatusCode());
+
+        assertTrue(
+            "Response did not contain the \"WWW-Authenticate\" header, but should have",
+            response.getResponseHeaderValue("WWW-Authenticate") != null);
+
+
+        // Most important part of the test: check that we have the correct authentication mechanism instance used
+
+        assertTrue(
+                "Response did not contain \"realm1\" in the \"WWW-Authenticate\" header value, but should have",
+                response.getResponseHeaderValue("WWW-Authenticate").contains("realm2"));
+
+
+        // For completion, check that authentication mechanism also actually authenticates
+
+        DefaultCredentialsProvider credentialsProvider = new DefaultCredentialsProvider();
+        credentialsProvider.addCredentials("reza", "secret1");
+
+        getWebClient().setCredentialsProvider(credentialsProvider);
+
+        assertDefaultAuthenticated(
+            readFromServer("/protectedServlet2"));
+    }
+
+    /**
+     * Test that for path {@code /protectedServlet3} in effect {@link TestAuthenticationMechanism3} is used.
+     */
+    @Test
+    public void testAuthenticated3() {
+        WebResponse response = responseFromServer("/protectedServlet3");
+
+        assertEquals(401, response.getStatusCode());
+
+        assertTrue(
+            "Response did not contain the \"WWW-Authenticate\" header, but should have",
+            response.getResponseHeaderValue("WWW-Authenticate") != null);
+
+
+        // Most important part of the test: check that we have the correct authentication mechanism instance used
+
+        assertTrue(
+                "Response did not contain \"realm3\" in the \"WWW-Authenticate\" header value, but should have",
+                response.getResponseHeaderValue("WWW-Authenticate").contains("realm3"));
+
+
+        // For completion, check that authentication mechanism also actually authenticates
+
+        DefaultCredentialsProvider credentialsProvider = new DefaultCredentialsProvider();
+        credentialsProvider.addCredentials("reza", "secret1");
+
+        getWebClient().setCredentialsProvider(credentialsProvider);
+
+        assertDefaultAuthenticated(
+            readFromServer("/protectedServlet3"));
+    }
+
+}