From fb466f0fd7c8804ec8c6f6c816ebf5070e14ea92 Mon Sep 17 00:00:00 2001
From: Bauke Scholtz <balusc@gmail.com>
Date: Sun, 10 May 2026 15:48:51 -0400
Subject: [PATCH 1/6] Migrate from arquillian-glassfish-server-managed to
 arquillian-glassfish-server-pool
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the per-module GlassFish unpack + JVM-scoped server lifecycle
with a shared pre-warmed slot pool, mirroring the faces/tck migration in
jakartaee/faces#2165. A single GlassFish dist is unpacked at validate,
all slots clone from it, and the arquillian-glassfish-server-pool
extension leases a slot per test JVM. Default invocation is unchanged
(mvn verify); mvn clean install -T8 drops wall-clock from ~24 min to ~2
min.

- glassfish-pool-maven-plugin in pluginManagement carries distribution +
  per-overlay (jakarta.security-api, soteria, soteria-weld) config; per-
  overlay <skip> tags wire to the existing security.api.update /
  soteria.update master switches via a build-helper bsh-property hop.
- glassfish-ci-managed profile rewritten:
arquillian-glassfish-server-pool
  in place of -managed, pool:up at initialize, parent-owned
source-staging
  antrun at validate (mkdir-lock + marker, awk-portable) handles unpack,
  Mitre cert import into cacerts.p12, and trustStorePassword injection
  into domain.xml — see the in-line comment on gf.pool.unpack.skip for
  why these have to land before pool:up.
- maven-install-plugin install-file (vendor-api jar for sigtest) is now
  inherited=false at initialize on the reactor root only — aggregator
  goal with a per-module execution wasn't safe under -T.
- maven-surefire-report-plugin failsafe-report-only and cyclonedx
  makeAggregateBom: same root-only treatment, removes the parallel-build
  aggregator stalls.

Shared-pool collateral fixed alongside (each came up while making
individual modules -T-safe; README's "Running tests in parallel" section
documents the rules for new modules):

- Per-module H2 JNDI: each app-db-* binds DataSource under a unique
  java:global/securityAPIDB-<suffix> instead of all sharing one global
  name (collisions with one GF JVM hosting many sequential deploys).
- Per-module embedded LDAP ports: app-ldap2/3 split off the colliding
  33389 onto 33390/33391; app-ldap stays on 33389.
- app-openid: hardcoded http://localhost:8080/openid-server/... replaced
  with EL/UriInfo-derived URLs (OpenIdConfig.getProviderURI() backed by
  injected HttpServletRequest; OidcProvider uses @Context UriInfo) so
  metadata, JWT issuer and providerURI all track the live request.
- app-openid2/3: per-module Tomcat ports (8443+8005 / 8444+8006);
  clients.sql redirect URIs pre-registered for every slot the pool may
  grow to (= \${session.request.degreeOfConcurrency} = -TN, exposed as a
  regular property via bsh-property since Maven only resolves bean
  expressions for typed Plexus parameters); openid3 cert pair refreshed
  (the original expired 2023-03 and PKIX rejects it on a current JDK);
  Tomcat work/ wiped before startup so SESSIONS.ser doesn't resurrect
  Mitre's "client already authorized" state across re-runs without
  clean.
- arquillian.xml: glassfish-pool container added (default), poolDir from
  the gf.pool.dir property forwarded by failsafe.

The Mitre cert handling needed two pre-startup fixes: the cert must be
in cacerts.p12 *before* GF starts (Java caches the default SSLContext on
first SSL use and never reloads from disk), and -Djavax.net.ssl.trust-
StorePassword must be set on the GF JVM via domain.xml — without it Java
loads the PKCS12 truststore with zero trust anchors regardless of how
many certs the file contains. Pre-migration this came through
arquillian-glassfish-server-managed's glassfish.systemProperties hook;
the pool plugin doesn't have an equivalent so we bake it into source
domain.xml instead.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 tck/README.md                                 |  92 ++++++
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../tck/security/test/DatabaseSetup.java      |   4 +-
 .../test/ServletForDatabaseIDStore.java       |   2 +-
 .../jakarta/tck/security/test/LdapSetup.java  |   4 +-
 .../ee/jakarta/tck/security/test/Servlet.java |   2 +-
 .../jakarta/tck/security/test/LdapSetup.java  |   4 +-
 .../ee/jakarta/tck/security/test/Servlet.java |   2 +-
 .../client/defaulttests/OpenIdConfig.java     |  15 +
 .../client/defaulttests/SecuredServlet.java   |   2 +-
 .../defaulttests/SecuredServletWithEL.java    |   2 +-
 .../security/test/server/OidcProvider.java    |  37 ++-
 .../tck/security/test/OpenIdTestUtil.java     |   4 +
 tck/app-openid2/pom.xml                       |  59 ++--
 tck/app-openid3/localhost-rsa.jks             | Bin 2744 -> 2744 bytes
 tck/app-openid3/pom.xml                       |  61 ++--
 tck/app-openid3/server.xml                    |   4 +-
 .../tck/security/test/ProtectedServlet.java   |   2 +-
 tck/app-openid3/tomcat.cert                   |  30 +-
 tck/common/src/main/resources/arquillian.xml  |  13 +
 tck/pom.xml                                   | 286 +++++++++++-------
 45 files changed, 426 insertions(+), 275 deletions(-)

diff --git a/tck/README.md b/tck/README.md
index fc85f927..ec8413cd 100644
--- a/tck/README.md
+++ b/tck/README.md
@@ -58,6 +58,98 @@ This sub-repo contains working applications that demonstrate and test various as
   * Test URL: http://localhost:8080/app-securitycontext-auth/servlet?name=rezax (fails authentication via exception)
   * Test URL: http://localhost:8080/app-securitycontext-auth/servlet?name=rezax (fails authentication via status return code)
 
+## Running tests in parallel (`mvn -T<N>`)
+
+The default `mvn verify` already uses the GlassFish pool (provisioned by
+`glassfish-pool-maven-plugin`, started/cloned per slot, leased by each test
+JVM). Adding `-T<N>` runs reactor modules in parallel and is a large
+wall-clock win, 10x faster on average.
+
+The pool itself is parallel-safe (`PoolBootstrap.up` is JVM-wide synchronized
++ idempotent, slot leasing uses `FileChannel.tryLock`), but test modules
+have to follow a few rules to be `-T`-safe. Existing modules already comply;
+when adding a new one, check the points below.
+
+### 1. No global JNDI collisions
+
+Each test JVM gets a fresh `@Deployment` (Arquillian deploys → runs → undeploys),
+but a single pool slot's GlassFish JVM hosts many such deploys sequentially over
+its lifetime. Resource definitions (`@DataSourceDefinition`, etc.) bound under
+`java:global/<name>` are visible to GF's connector subsystem across deploys,
+so two modules using the same `java:global/<name>` can race through CDI bean
+discovery + JCA registration. Suffix the name with the module identifier so
+each module owns its own JNDI namespace.
+
+```java
+// BAD — every app-db-* module would share the same binding
+@DataSourceDefinition(name = "java:global/securityAPIDB", ...)
+
+// GOOD — module-suffixed
+@DataSourceDefinition(name = "java:global/securityAPIDB-priorityuseforexpr", ...)
+```
+
+The matching `@Resource(lookup = ...)` and any
+`@DatabaseIdentityStoreDefinition(dataSourceLookup = ...)` need to use the
+same suffixed name.
+
+### 2. No host-port collisions across modules
+
+Modules that start an embedded server bound to `localhost:<port>` (UnboundID
+LDAP, Tomcat for the Mitre OP, …) must each pick a distinct port. Under `-T`
+two modules on the same port fight: only one binds, the other silently
+fails, and tests get cryptic 500s or HTTP timeouts.
+
+Conventions in use:
+
+- LDAP modules: 33389 (`app-ldap`), 33390 (`app-ldap2`), 33391 (`app-ldap3`),
+  12389-12413 for `app-ldap-*`. Pick the next free integer when adding one.
+- Tomcat (Mitre OP) modules: 8443 + 8005 (`app-openid2`), 8444 + 8006
+  (`app-openid3`). Pick another (8445/8007, …) for any new openid-with-Mitre
+  module, and keep `server.xml` + the `ProtectedServlet` `providerURI`
+  annotation + the antrun `<replace token="http://localhost:8080" value="…">`
+  in sync.
+
+### 3. No assumption that GF runs on a known port
+
+Pool slots get ports from `adminBase + (slot-1) * portStride` (default
+14848 + N*100), and a test JVM may lease any slot. Do NOT hardcode a slot's
+HTTP/HTTPS port in app code. Use `@ArquillianResource URL base` for the
+deployed-app URL; for outbound URLs that have to be configured at deployment
+time (e.g. Soteria's `OpenIdAuthenticationMechanismDefinition.providerURI`),
+use an EL expression backed by a `@RequestScoped`/`@Dependent` CDI bean that
+reads `request.getServerName()/getServerPort()` at request time —
+`app-openid`'s `OpenIdConfig.getProviderURI()` is the reference.
+
+### 4. Pre-register every slot when an external service validates redirect URIs
+
+When a third-party server (e.g. Mitre OP) validates redirect URIs against a
+fixed allowlist, register one entry per *possible* slot. The openid-client
+deployment may end up on slot 1, 2, … N, and Mitre rejects any redirect URI
+not pre-registered. `app-openid2`/`app-openid3`'s antrun loops slot
+1..`${session.request.degreeOfConcurrency}` into `clients.sql` using the
+pool's `adminBase` + `portStride` — that property is Maven's `-TN` value
+(defaults to 1) and is also the upper bound on how far the pool can grow,
+since each Maven thread leases at most one slot at a time.
+
+### 5. Wipe Tomcat `work/` before startup
+
+If a module starts its own Tomcat in pre-integration-test, add
+`<delete dir="${tomcat.dir}/work" quiet="true"/>` to the antrun *before*
+`startup.sh`. Tomcat's `StandardManager` persists HTTP sessions to
+`work/Catalina/localhost/<webapp>/SESSIONS.ser` on shutdown and rehydrates
+them at startup; without the wipe, a re-run without `mvn clean` resurrects
+the previous run's sessions and can skip flows the test depends on (e.g.
+the OpenID consent page).
+
+### 6. Don't race on shared paths in a `<plugins>` execution
+
+Anything inheritable that writes to `${maven.multiModuleProjectDirectory}/…`
+runs once per module under `-T` and races. The parent's source-staging step
+uses a `mkdir`-based lock + marker file inside an `antrun` so first-acquirer
+does the work and others fast-exit; copy that pattern for any new shared
+preparation. Plain `maven-dependency-plugin:unpack` into a shared directory
+is NOT thread-safe for the first-extraction window even with markers.
+
 ## Running the TCK in Docker
 
 (needs updating to recent versions)
diff --git a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 0d62604f..51b155be 100644
--- a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-basic",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-basic;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-basic")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 8c35d24c..c613ba8d 100644
--- a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -28,7 +28,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-basic",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class)
diff --git a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index d15945ac..f287a97f 100644
--- a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -41,7 +41,7 @@
  * and key sizes so {@code verify(...)} reads them per row.
  */
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-hashalgorithm",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-hashalgorithm;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -49,7 +49,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-hashalgorithm")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 32b9765b..ad5d971a 100644
--- a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * iterations, and salt/key sizes per row.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-hashalgorithm",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = Pbkdf2PasswordHash.class)
diff --git a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 3b4caded..0eba262b 100644
--- a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -40,7 +40,7 @@
  * reads parameters back from the encoded hash.
  */
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-hashalgorithmparam",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-hashalgorithmparam;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -48,7 +48,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-hashalgorithmparam")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 530e9862..d667b09d 100644
--- a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * hashed under different parameter sets.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-hashalgorithmparam",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = Pbkdf2PasswordHash.class,
diff --git a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 7132cc1f..471ec012 100644
--- a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-invalidcallerquery",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidcallerquery;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-invalidcallerquery")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index ba7a4ed3..19e0a6c7 100644
--- a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -33,7 +33,7 @@
  * "Exception received." in the response body.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-invalidcallerquery",
     callerQuery = "select invalid from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class)
diff --git a/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 5c963457..d3ba6c2d 100644
--- a/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-invaliddatasource",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invaliddatasource;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-invaliddatasource")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 17737280..93af0a0e 100644
--- a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-invalidgroupsquery",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidgroupsquery;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-invalidgroupsquery")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index c3e1d611..16ac57d9 100644
--- a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -33,7 +33,7 @@
  * as "Exception received." in the response body.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-invalidgroupsquery",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select invalid from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class)
diff --git a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 42da84bc..175fa1f7 100644
--- a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -40,7 +40,7 @@
  * Pbkdf2 self-describing hash format.
  */
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-invalidhashalgorithmparam",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidhashalgorithmparam;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -48,7 +48,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-invalidhashalgorithmparam")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index efae7634..557110bf 100644
--- a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -36,7 +36,7 @@
  * users still validate.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-invalidhashalgorithmparam",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = Pbkdf2PasswordHash.class,
diff --git a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index a87062a4..3e592de0 100644
--- a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-invalidpriorityuseforexpr",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidpriorityuseforexpr;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-invalidpriorityuseforexpr")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index a072e8e6..f0319377 100644
--- a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * "Exception received." in the response body.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-invalidpriorityuseforexpr",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index f306ad48..dcf35e20 100644
--- a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-multi",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-multi;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-multi")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index d95b426d..c09b2ced 100644
--- a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -39,7 +39,7 @@
  * "two stores at different priorities" assertion semantics.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-multi",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     priority = 200,
diff --git a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 1566eb9f..cef3806b 100644
--- a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-notvalidated",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-notvalidated;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-notvalidated")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index d53e8be2..2e798f05 100644
--- a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -33,7 +33,7 @@
  * credentials so any call to validate() returns NOT_VALIDATED.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-notvalidated",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class,
diff --git a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 51452260..f73597e1 100644
--- a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-priorityuseforexpr",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-priorityuseforexpr;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-priorityuseforexpr")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 40e1d2f6..76b7e25d 100644
--- a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -36,7 +36,7 @@
  * {@link IdentityStore1}.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-priorityuseforexpr",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 90c6225c..65f3e4c1 100644
--- a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-priorityuseforexprbean",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-priorityuseforexprbean;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-priorityuseforexprbean")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 6cfb197c..b7811582 100644
--- a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * useFor {VALIDATE, PROVIDE_GROUPS}.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-priorityuseforexprbean",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 27377887..8df91f71 100644
--- a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-useforgroup",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-useforgroup;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-useforgroup")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index cc15d877..8774e394 100644
--- a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * complete the chain.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-useforgroup",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.PROVIDE_GROUPS },
diff --git a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 042db4e6..010337dd 100644
--- a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB",
+    name = "java:global/securityAPIDB-useforvalidation",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-useforvalidation;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB")
+    @Resource(lookup = "java:global/securityAPIDB-useforvalidation")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index a3085256..9a80ec9c 100644
--- a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -29,7 +29,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB",
+    dataSourceLookup = "java:global/securityAPIDB-useforvalidation",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java b/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java
index 29078e1b..a6f4c65d 100644
--- a/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java
+++ b/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java
@@ -28,7 +28,7 @@
 import jakarta.ejb.Startup;
 
 /**
- * Starts up the embedded Unboundid LDAP server on port 33389 and loads a test directory
+ * Starts up the embedded Unboundid LDAP server on port 33390 and loads a test directory
  * into it containing the same caller- and roles names as the Database and Embedded idenity
  * stores are using.
  *
@@ -45,7 +45,7 @@ public void init() {
         try {
             InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=net");
             config.setListenerConfigs(
-                    new InMemoryListenerConfig("myListener", null, 33389, null, null, null));
+                    new InMemoryListenerConfig("myListener", null, 33390, null, null, null));
 
             directoryServer = new InMemoryDirectoryServer(config);
 
diff --git a/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/Servlet.java b/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/Servlet.java
index 8a77f87e..c13c6627 100644
--- a/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/Servlet.java
+++ b/tck/app-ldap2/src/main/java/ee/jakarta/tck/security/test/Servlet.java
@@ -30,7 +30,7 @@
  * this caller is in any of the roles {foo, bar, kaz}
  */
 @LdapIdentityStoreDefinition(
-    url = "ldap://localhost:33389/",
+    url = "ldap://localhost:33390/",
     bindDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
     bindDnPassword = "changeOnInstall",
     callerSearchBase = "dc=jsr375,dc=net",
diff --git a/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java b/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java
index 29078e1b..8deb8940 100644
--- a/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java
+++ b/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/LdapSetup.java
@@ -28,7 +28,7 @@
 import jakarta.ejb.Startup;
 
 /**
- * Starts up the embedded Unboundid LDAP server on port 33389 and loads a test directory
+ * Starts up the embedded Unboundid LDAP server on port 33391 and loads a test directory
  * into it containing the same caller- and roles names as the Database and Embedded idenity
  * stores are using.
  *
@@ -45,7 +45,7 @@ public void init() {
         try {
             InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=net");
             config.setListenerConfigs(
-                    new InMemoryListenerConfig("myListener", null, 33389, null, null, null));
+                    new InMemoryListenerConfig("myListener", null, 33391, null, null, null));
 
             directoryServer = new InMemoryDirectoryServer(config);
 
diff --git a/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/Servlet.java b/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/Servlet.java
index efc7571c..f7540ddf 100644
--- a/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/Servlet.java
+++ b/tck/app-ldap3/src/main/java/ee/jakarta/tck/security/test/Servlet.java
@@ -30,7 +30,7 @@
  * this caller is in any of the roles {foo, bar, kaz}
  */
 @LdapIdentityStoreDefinition(
-    url = "ldap://localhost:33389/",
+    url = "ldap://localhost:33391/",
     bindDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
     bindDnPassword = "changeOnInstall",
     callerSearchBase = "dc=jsr375,dc=net",
diff --git a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/OpenIdConfig.java b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/OpenIdConfig.java
index b7616568..a5d2ecab 100644
--- a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/OpenIdConfig.java
+++ b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/OpenIdConfig.java
@@ -22,7 +22,9 @@
 
 import jakarta.annotation.PostConstruct;
 import jakarta.enterprise.context.Dependent;
+import jakarta.inject.Inject;
 import jakarta.inject.Named;
+import jakarta.servlet.http.HttpServletRequest;
 
 @Named
 @Dependent
@@ -35,6 +37,9 @@ public class OpenIdConfig {
 
     private Properties config;
 
+    @Inject
+    private HttpServletRequest request;
+
     @PostConstruct
     public void init() {
         config = new Properties();
@@ -71,4 +76,14 @@ public String getClientSecret() {
 
         return OidcProvider.CLIENT_SECRET_VALUE;
     }
+
+    /**
+     * Provider URI computed from the live request's host:port so the test runs
+     * against whatever HTTP listener the GlassFish slot has bound (the dist's
+     * default 8080, the pool's 14849, etc.) without recompiling.
+     */
+    public String getProviderURI() {
+        return "http://" + request.getServerName() + ":" + request.getServerPort()
+                + "/openid-server/webresources/oidc-provider-demo";
+    }
 }
diff --git a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServlet.java b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServlet.java
index 046953f4..10919f02 100644
--- a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServlet.java
+++ b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServlet.java
@@ -37,7 +37,7 @@
  */
 @WebServlet("/Secured")
 @OpenIdAuthenticationMechanismDefinition(
-    providerURI = "http://localhost:8080/openid-server/webresources/oidc-provider-demo",
+    providerURI = "${openIdConfig.providerURI}",
     clientId = CLIENT_ID_VALUE,
     clientSecret = CLIENT_SECRET_VALUE,
     redirectURI = "${baseURL}/Callback")
diff --git a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServletWithEL.java b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServletWithEL.java
index a72f3f29..e9c7046d 100644
--- a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServletWithEL.java
+++ b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/client/defaulttests/SecuredServletWithEL.java
@@ -34,7 +34,7 @@
  */
 @WebServlet("/Secured")
 @OpenIdAuthenticationMechanismDefinition(
-        providerURI = "http://localhost:8080/openid-server/webresources/oidc-provider-demo",
+        providerURI = "${openIdConfig.providerURI}",
         clientId = "${openIdConfig.clientId}",
         clientSecret = "${openIdConfig.clientSecret}",
         redirectURI = "${openIdConfig.redirectURI}")
diff --git a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/server/OidcProvider.java b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/server/OidcProvider.java
index e765c295..2221bd87 100644
--- a/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/server/OidcProvider.java
+++ b/tck/app-openid/src/main/java/ee/jakarta/tck/security/test/server/OidcProvider.java
@@ -73,9 +73,11 @@
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.ResponseBuilder;
+import jakarta.ws.rs.core.UriInfo;
 
 /**
  * @author Gaurav Gupta
@@ -97,6 +99,18 @@ public class OidcProvider {
 
     private static final String HTTPS_HOST = "https://localhost:";
 
+    /**
+     * Hardcoded base URL inside the static openid-configuration.json template
+     * and the JWT issuer claim. Rewritten at request time to {@link #issuer()}
+     * so the metadata and tokens match whatever HTTP listener GlassFish is
+     * actually bound to (the dist's default 8080, the pool's 14849, etc.).
+     */
+    private static final String TEMPLATE_BASE_URL =
+            "http://localhost:8080/openid-server/webresources/oidc-provider-demo";
+
+    @Context
+    private UriInfo uriInfo;
+
     private static String nonce;
 
     boolean rolesInUserInfoEndpoint;
@@ -133,21 +147,20 @@ public Response getConfiguration() {
             }
         } catch (IOException ex) {}
 
-        if (oidcProviderHttpsPort != null && !oidcProviderHttpsPort.isEmpty()) {
-            String httpsHostAndPort = HTTPS_HOST + oidcProviderHttpsPort;
-            result = useHttpsHostAndPort(result, "http://localhost:8080/openid-server/webresources/oidc-provider-demo/auth", httpsHostAndPort);
-            result = useHttpsHostAndPort(result, "http://localhost:8080/openid-server/webresources/oidc-provider-demo/token", httpsHostAndPort);
-            result = useHttpsHostAndPort(result, "http://localhost:8080/openid-server/webresources/oidc-provider-demo/userinfo", httpsHostAndPort);
-            result = useHttpsHostAndPort(result, "http://localhost:8080/openid-server/webresources/oidc-provider-demo/revoke", httpsHostAndPort);
-            result = useHttpsHostAndPort(result, "http://localhost:8080/openid-server/webresources/oidc-provider-demo/certs", httpsHostAndPort);
-        }
+        // Rewrite every TEMPLATE_BASE_URL/<path> in the metadata to either the live
+        // HTTPS host:port (when configured) or the live HTTP base. Done in one pass
+        // so the issuer URL also tracks the live request.
+        String liveBase = (oidcProviderHttpsPort != null && !oidcProviderHttpsPort.isEmpty())
+                ? HTTPS_HOST + oidcProviderHttpsPort + "/openid-server/webresources/oidc-provider-demo"
+                : issuer();
+        result = result.replace(TEMPLATE_BASE_URL, liveBase);
 
         return Response.ok(result).header("Access-Control-Allow-Origin", "*").build();
     }
 
-    private String useHttpsHostAndPort(String result, String endpoint, String httpsHostAndPort) {
-        String path = endpoint.substring(21);
-        return result.replace(endpoint, httpsHostAndPort + path);
+    /** Live request's base URL for this resource — used as both metadata issuer and JWT iss claim. */
+    private String issuer() {
+        return uriInfo.getBaseUriBuilder().path("oidc-provider-demo").build().toString();
     }
 
     @GET
@@ -209,7 +222,7 @@ public Response tokenEndpoint(
                     .build();
 
             JWTClaimsSet.Builder jwtClaimsBuilder = new JWTClaimsSet.Builder()
-                    .issuer("http://localhost:8080/openid-server/webresources/oidc-provider-demo")
+                    .issuer(issuer())
                     .subject(getSubject())
                     .audience(List.of(CLIENT_ID_VALUE))
                     .expirationTime(new Date(now.getTime() + 1000 * 60 * 10))
diff --git a/tck/app-openid/src/test/java/ee/jakarta/tck/security/test/OpenIdTestUtil.java b/tck/app-openid/src/test/java/ee/jakarta/tck/security/test/OpenIdTestUtil.java
index 939f549d..aa6f6e06 100644
--- a/tck/app-openid/src/test/java/ee/jakarta/tck/security/test/OpenIdTestUtil.java
+++ b/tck/app-openid/src/test/java/ee/jakarta/tck/security/test/OpenIdTestUtil.java
@@ -34,6 +34,7 @@
 import ee.jakarta.tck.security.test.client.CallbackServlet;
 import ee.jakarta.tck.security.test.client.UnsecuredServlet;
 import ee.jakarta.tck.security.test.client.UserNameServlet;
+import ee.jakarta.tck.security.test.client.defaulttests.OpenIdConfig;
 import ee.jakarta.tck.security.test.server.ApplicationConfig;
 import ee.jakarta.tck.security.test.server.OidcProvider;
 
@@ -81,6 +82,9 @@ public static WebArchive createClientDeployment(Class<?>... additionalClasses) {
                 .addClass(CallbackServlet.class)
                 .addClass(UnsecuredServlet.class)
                 .addClass(UserNameServlet.class)
+                // OpenIdConfig is the @Named CDI bean now backing every Secured*
+                // servlet's providerURI EL expression — needed by all client deployments.
+                .addClass(OpenIdConfig.class)
                 .addClasses(additionalClasses)
                 .addAsWebInfResource("beans.xml");
 
diff --git a/tck/app-openid2/pom.xml b/tck/app-openid2/pom.xml
index a07ade7a..9293a7bf 100644
--- a/tck/app-openid2/pom.xml
+++ b/tck/app-openid2/pom.xml
@@ -132,15 +132,30 @@
                                 <replace token="http://localhost:8080" value="https://localhost:8443" dir="${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF" summary="yes">
                                     <include name="server-config.xml" />
                                 </replace>
-                                <replace token="http://localhost/" value="http://localhost:8080/openid-client/Callback" dir="${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF/classes/db/hsql" summary="yes">
-                                    <include name="clients.sql" />
-                                </replace>
+                                <!-- 
+									 Register the openid-client Callback URL for every slot the
+                                     pool may grow to (= ${maven.degreeOfConcurrency}, ie -TN).
+                                     Mitre rejects redirect_uris not pre-registered, and the
+                                     openid-client may land on any leased slot. Slot N's HTTP
+                                     port = adminBase + (N-1)*portStride + 1.
+                                -->
+                                <exec executable="bash" failonerror="true">
+                                    <arg value="-c"/>
+                                    <arg value="set -e; F='${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF/classes/db/hsql/clients.sql'; awk -v base=${gf.pool.adminBase} -v stride=${gf.pool.portStride} -v slots=${maven.degreeOfConcurrency} -v marker=&quot;'http://localhost/'&quot; 'index($0, marker) { for (i=1; i&lt;=slots; i++) { port = base + (i-1)*stride + 1; printf &quot;\t(%cclient%c, %chttp://localhost:%d/openid-client/Callback%c),\n&quot;, 39, 39, 39, port, 39 } next } { print }' &quot;$F&quot; &gt; &quot;${F}.new&quot; &amp;&amp; mv &quot;${F}.new&quot; &quot;$F&quot;"/>
+                                </exec>
                                 
                                 <copy file="server.xml" todir="${tomcat.dir}/conf" verbose="true" overwrite="true" force="true"/>
                                 <copy file="localhost-rsa.jks" todir="${tomcat.dir}/conf" verbose="true"/>
 
                                 <chmod dir="${tomcat.dir}/bin" perm="ugo+rx" includes="*" />
 
+                                <!--
+									 Drop Tomcat's persisted SESSIONS.ser so a re-run without
+                                     `mvn clean` doesn't resurrect Mitre's "client already
+                                     authorized" session and skip the consent page.
+                                -->
+                                <delete dir="${tomcat.dir}/work" quiet="true"/>
+
                                 <exec executable="${tomcat.dir}/bin/startup.sh" dir="${tomcat.dir}" >
                                     <env key="CATALINA_PID" value="${tomcat.pidfile}" />
                                 </exec>
@@ -172,42 +187,8 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>keytool-maven-plugin</artifactId>
-                <version>2.0.2</version>
-                <executions>
-                    <execution>
-                        <id>import-tomcat-cert</id>
-                        <phase>pre-integration-test</phase>
-                        <goals>
-                            <goal>importCertificate</goal>
-                        </goals>
-                        <configuration>
-                            <file>${project.basedir}/tomcat.cert</file>
-                            <alias>tomcat</alias>
-                            <keystore>${trustStore.path}</keystore>
-                            <storepass>${trustStore.password}</storepass>
-                            <noprompt>true</noprompt>
-                            <trustcacerts>true</trustcacerts>
-                            <verbose>true</verbose>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>delete-tomcat-cert</id>
-                        <phase>post-integration-test</phase>
-                        <goals>
-                            <goal>deleteAlias</goal>
-                        </goals>
-                        <configuration>
-                            <alias>tomcat</alias>
-                            <keystore>${trustStore.path}</keystore>
-                            <storepass>${trustStore.password}</storepass>
-                            <verbose>true</verbose>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
+
+            <!-- NOTE: Tomcat cert import lives in the parent pom (must run before pool:up clones the source GF). -->
         </plugins>
 
         <pluginManagement>
diff --git a/tck/app-openid3/localhost-rsa.jks b/tck/app-openid3/localhost-rsa.jks
index f5226568d85fcfe480822f2e6a0020a3213cb361..0cb11e0a827721f6e54251889fd044d0c85a686c 100644
GIT binary patch
delta 2489
zcmV;q2}bs~6}T0Ub`%kYVD<v+@V^S1yfGhvfF8|b0kV@Z1|)xdps?i5{^HVwRIFT7
zxe$~Df&|bE?C>J^Y$vSm@S`ts@id2iTQVCmnkQK0T}1eVzH2RdI8z~<Q)|n6_coga
z1jK{Apad$!TF}+_tM>41)blN3)eyXyy*;x^<plC?O%0K5jW*+Tt#t0#V3$ifWl!^k
zLh+6|M;>%=mim98GamWk=?FnuF%j+!aB!{mLBIii<sKN)ayo?iQRep_3F#1AU#B?}
zk`lfx?`;{U!fLSf5Wo^(O$Iz_OC-HO7Fk6I!f_Mv?DDt7h0I4pJ+JRvc>tv>n%!SL
z{4j&DTJf9+)t!O|1~eK}Q(UNrO;Zh03C&Hxf;knC6tsWdwkZK?jYW>Yc9B;!2s_rs
zTaJ|v$_EcyPQ4MVY{YIt+5VxQaOdw-PBWwhTI^a=bgQ0thUS_1B<?v1IIKnDB-u<z
zF)(90O>5SL_PZggs5t3n<z~hJX8?W7A}Pb-hQ`Lrbi~`Qw}_D+V=mJuuQNUJFvFE&
zkyJ7?9w>iY8A7`=*`G@9#1x9yq*d)_XuI0lZfiBYyFSszpMJt|7`QoCjufmltz>e8
zYzt!}A5DUTxfk>yr{t2#<q!QXoU#(%Yh;TN-U=Ty3m<}+sJY(}I{;dJ|5TBd`L4th
zZMrVhz7`k%JTbuJb+~2v;sZ#&b?Vfw%p^j|-->?;kTOa5IKBsSfE;)A28()_y$|_M
zvb_7d`Fl5|jTP(LEECoVKiU>S{fs0TfSBQZ2!MmUlvh<X(}^<bqWC2zvULr#bmGa*
z1l)uM<?{dO8^w#yo*zvTSHh#G0AZ(izes>uTc{uISsrn4bT{ei+gk=q*Y)&1#{S@D
zK2(3fY*UUb8y+W&%_z!M9TWShAy|{b0<$G)gSYR4S?iNc79JvsSK(S_JrPx52=;1<
zH<u}WJ*hM9|4=i&S}9<PCIgLvdKh)4SPUs;@~gog?Xt4;jsrd*_b&mVYu+yFU6shD
zl?W>&Ba1x(=wuXv9pp5{6VLd`$Qg-#Z?Jz3{iCcO+&gnF=J#Nb%Vy=$*RF2cQOq~@
zMDwpLG=MJ>E3~wAwbuPU=8Q;VRKYrg`a|bBnlu;9BXdx40Z?`8lO+I<O3Z8ZY8!!c
zLcP;Gt22inOr+A|ORL6>*2+g{(bX*GxI|WyI{P2b&Q%<mylP#MlrAkJLa41r{KtR&
zyg_PeJ^;5%y~hpC#PA6B^zM!G_sPr7t8rN`h<H<|HkU70o?bQ*XJWDj)vz8DtTX>@
zovdc(U%AP(QPnEnrUiPiZ~6CA^WyPmoQ(?b9{0e+RgjfMBJ}|tiOT_J(=`?0x<gE4
z5_<~1TF$`pJ7gv#zRDxF+JLb)Te5$`%nq8`Fn1eGtZ0jI#26mXIY|-n-tMgrudkA4
zHzd&zWaT+>xW^}&*N>}ss{XA6q?lz5h*dlV^@|dH#=xA+?IRGK02jXNft(_{j_*R|
zM04_Ze8?)g$pOy|a?|0GQgw+}Pi}H!=IwTdVpy{?)Y0wu7n=j?A+g$DXV-s+G-xNR
zh99BrNRN?4Wuap88Wd{nz2Ea^jZ|hFZJ9^-4d%ppa;6^uqvefC?yGD68yqbCay|!U
zXO2UrpGrB$*@kClLezZ;EYhJqqj3_=tbPeMmPPyQX0+;{XIrutGucMnMdui2;&?<f
zF+eaI1_>&LNQU<f0SOc_4jz-F1tbhNH8eCiH8(jqH!?Vr)CEZtdB}oiM(;%OiCH&d
ztd~tf|9?-WlQ9M)e_q&_DZejH_?1eojb?P^y?}xQ07Sq(VfyjbQK+O;=Llg26HdeG
z-sHXzjjZOMF&S}fFBixp5gwP|pajvHiiyvL6rxOCs^%WcQH`zY?B_9}{m7p>D9HR~
z!kV37aT8zg-epl>)W1g51oZvlobV3ix_u7LTO;fKlSCg3e=CJIYiSiG{6!WNFrs&y
zAA}+I)wpkT#L2+UJmJ5qXBL?}ea*?!Aafu~jB$^>aq(*~k6bxHeBoAC0*Rna`a8>K
zOfZQxpQ;;mprYupVW3qw43;)@KZuBkeSioA5U+{pcMqUZd>!t?9Fa^bPqiT;S?&Y4
z2hRdy7p@i!e>1l&SjoCmEEv6)p@Fd2a05^pJdAQez5y?>b;l*U_v$b}Z}=Kj)+?k}
zJ2z$SSc?*xsM%5yj&K_YziBP-+%k25aVo;gu4w~X=_c%FG~gk7`HNqWb#aJU@^FwZ
zeN46Ptt$a$&Mr&{`UP@skqA}hM%qx9+@1m9iG4v$e-iMyZ^?+X^=OhD+Y%~XZqi!3
zS^%nlu%^q#1qj|IqNn$Re}5~1WWbQ9a`l+q+)RB6i77!#G9~4EYtAV3OLINR0asaG
zpJ4xwyXla<!ia;m!^Cm@A$9M3Np1fdYp*0b{<9mTK8JmXsm9__8xPD(rQ|a_DeTXs
z-Y|Fce~I|7&h$X+j<F{AHd6v93ktlD%iyIMTlu!Q($oan{sn0^Eq^!AhxP}Av?DFv
zrXC%48A3>bHYnvVFC8eJZ|<`Bq~4<V$r><b1(plxQ0UbdFoQtj8w7DtFpv|uU{e9}
z>it#=BvsGhOSp=vCD_N;52~KzQ4nF(Pz?2Kf4N@W8AY2QkO}L=NRHRyj^k*RU_Q;(
z9bT+Lx$$+}+MW_;R3_!v2Nl+CB9-PQTAQnpV{6jXe_gv?Pm)_afa;}twLyag^Q-~?
zC7*Do)KXI9YMGC(;~dtk{M+LPNnDG(_`SUxgd}~wD`|WX_5NBqpu2y{Ae9~l3YX9+
ze@45j08-jQytojUkrGRT2raHzQq6&ha|-O#N~@aBV)Q~c9>(t<YuyZ(DV*~6Q!~Ce
z9X~&9f!H;-i41!kOZi$_SR-gi3(CyiBc1xhvJqd>msrYRsU!(9-08y!P}@Jn@mCU-
zElo_L9~mF~IOKEthKfWoVxcJJJwX>pf3V(zSCQpWUzf0Ab^~4+Ete_;fBx4Zlq^p(
z?O-{uNJ~8aTgWZd^jvAHrgVa|i$dPS($q~o)EHv!I(ea?jb|KnDk`pc&sPDt&qUQl
z1R7ITg7RR3*=iY@ZqVabM}My5XlEIJW5m!1TlqpT)w5&T&g)A$>dF+rlr2EaYoSwa
zT9gc#8va%T{8~?uK^v?<kyB~vNhXfPUNB8CF)$4V31Egu0c8UO0s#d81Rx8)mEk8f
z+05mlzW%|#O)W*)Af+)R+N-#yVjfXFQeOlVU0aREgK2f@aJzdaXo8bfANDac0s<!x
Dr-HBw

delta 2489
zcmV;q2}bs~6}T0Ub`<msHtqiJ>_JpCBI0Duc$veU9$J$z1|)yd?6x3MF-XA{mifnX
zEzoNOf&|bYJF2L`hUm@rP(V|b@cO|VMr4AgfX#icHFu6@^k;V{cAFZl>j18S<|Zns
zuQu&D;L82)mUT40**yV8>$|m8x)^%q!9L;F;_2xWl2dKMM&yj7#<4rIPLOdCj12TW
zKJ>D-gRX@!CXIhT@!$rM%G%J!0%LVP1c_?A65}+qooUE0n3c_+u1ka-kd`?#n|okP
zcYNwxz+L}f`Ce&_=h<WZBrwVlG`@pZusm5fjz#uqWMeK4<f=<YwvP43xA&*E)h8Ax
zxmaDbz=V6Si8Xe-3xqs%ID`82T5)2NJJ-rEgK5~{@q>SvH~u^=>g=j-wNlwYmv>3q
zH~nj4R=;fTq+mKTV6i84p_BvyspNr+Afv`nhva&@6A%h7xdeT)*LDwGOYrG3?^sTz
z{>jOxOEg<UY~OZvUaMUZ1Q!&to+Q=J*t_<n@7DHDdJXkXyfb2#18U!+hbCEp?Eo3v
z__B}eldFG8Y5Bj>AzcB=Hn#M-nt8wGWT%GT4FzZM8<W_Yc(>Vd5*&3;iD6qv(&--%
zpe<@}k$VsKbsJg&7GWCiE{MtSd`xyMItcM~DpBF7V5+o#F!9waH|-u}d=Z3P(L(x{
zk-5Sme7TM#^7(!pp;L(hpsHGcn&M?UXJJB<WK(}+x<4SWPU|w_UnjPs*=C&!TUSQ%
zbt`9ou{a}cYH^4FKPVYI28Fst)0)<$M!pZ<S#{M>L13jy@1avg(b_>aHzav#74)ro
z+a55US3i6o?wa_(E_IL{rl}U;hd8lMmj%g#&%yRO%A=<y|E6A>?WOi?qgM38QNRQ>
z4Mu<5Cn-5E&A;*^d@BzSb}SGo1hqMba0~TtmDwc-FlgK2mxfx+C+}NMiFp(#=*#6g
zM;IajxYpwM(d5>gyaIP9@V|Kof3~<Mjt5W7*Yi(9{qAC-3q2*&SJFk#NpUH9==1fF
zMoTprfZ6+0zqDoE^sxH+qa&JIPH$Ln9`t`raSG38r#V(&TDV0%9J2rIyhLR^Lv`zp
ziZ0PK+mKMx&2BN~c*cmLX0<1FLk(f+xhd2CQ&CHECD=#_6E}H-f!HR3In-d4{$S@P
z;NRc)s)Z_%+8G9K9SdX1J7j)lCfbn!+<k#&(W3gRZ`?gLPd^Sb`HWZSiD(5jVjX{E
zgoU#hR_)R3h`#^L_)FCg1ncP`t_q%z;BU2GCLb|3?4hKAlVv)QCGgI4SE_3N7o=zb
zi`N^o!t;FwDB9oIwn@1Z%#4H<<>fqC5`Oj>Z;~GR7b0dI*cPGnVEnV~Fw)Vi3O$=#
zB?<@P>!0?E-J<;Y(lZhNE|@RdX<L7HqhgGQ6PQqkt#;r(I}hjV3C<=WNEVk*cf|wz
zR<)Qh|1JbdOP&xDA#HVDpx3L>H%)2&N+!CUZP5rceGY^itJj}1ZC<b`Nc`_xhx;4(
z%~PsOG!04HqIAr?zhO_?5gaD#$quw;J*8B=jXysB&I5|MjuoY6DN!&VRV#n4)9o#9
zX+Ify=iB{qgAaTMXcD3aKPWmcg&3_B$45fmx05H@22o>J0voV;gb%A-6P={ZA_%XU
zM2n`=>5u<DliM;78vz4{r-S}b?6W-t^cUF0(zCWlYy9#|iSY~e2e}Tc&H-7M>*%Hu
zF+eaI1_>&LNQU<f0SOc_4jz-F1tbhMH!wCbG&VCiHZU}k)CEZt?=K3Q8GHJ~kgvDH
z;?)(bqTn5GlQ9M)e|+gOGok6x%#_fJ7kxb7qkw`00KhZs?yX>wsj=?*)*Y5~iFpNU
zU;Fw!xq+C}Ar`ido6yATITiCXmq4w$1-QPQOqtPzm#2iDS4{r{E=@h*_v0ok2DN!E
z@B$AJSOp_$GDV7a4Zk*re{V%23+(7>8=@HH5QZsyduusFfA1%|zO_?k!EjY<Pi-#a
z{RD_?(H{7gvJG)-tJx!V(;gk3$6>nt&m6B@-rUeAGE97FQr+%m-@@gP8fm2g)W07K
zIci(9j(72Ias{4D04+^YfhR9Q_mq{j!vnuCGaxXqd1#GdqilI4JCYi`;tDjLLPde&
zd0g^A_M1Rff1|&ACDyL-@i+z*Oab{53utiN?Rltp_t0q4@{61dDJ_K4nC>(jFY-gO
z(!g9Px;mdH*}c#dcv~-xe(Ag`{Do;dmxPxJ@Ghxeg;;+H5bq;V$ZM@9?r_eU2*uxU
zgO*l|Z<nqoK#$R%r{|NXk*f_rOdQ%DRP0kNP6>H%f9#JY&`Bcq5>r?|3U$*aqht@m
zHd%2{0mz*AW@xWH4SGc_i^bDo_zpy1Q`TF{I!J#!)nfm`@xQkAd9+p>4JCQBb?95X
zoaaAnv^h@T;)DiV;#ChdC9B@f5fHUQdqc9ouW91aAXIRb=)f-ZF5FlBDU%b60O=oz
z%goRzf7gE2kvt|<Cw~zYY?&>&Bk(IVxQLR5WR5k~s8T=DK|y4myb)fC+LuhB3fHxO
zDux8{N)uyAnSWq8mZdfq%3?|&JDHp1)kg=B#9lEHEa!Ckru>1i;ahj&;WxJ14b<Kf
zAnTK<M2x~Xv(bDcvD-t4i#;QLN#P-4eZX1je>*<XJ)SOOO2W&H6=B74bQ<`rel7pc
zW`e%BF6`TH9tgKP^N5;iW0b)u&cG}T(B)uE*w)4za-vd)hdKYDIU;KHIIQGXkGT<h
zf*fJYNHuj@MLTaN|9x&0gNvy|brs=LRQK4YXp8%LsN5KE`Z3HBe$ZAR!?kuAtXKoZ
ze=zmtsO+}IF=R<EMg6j~;>clB1kh>CChl%qi3XaQSsyBZQRt{U-E7?1hbU=yR3~>o
zk?j6$dLVHM$uw`DqHy2CNI?XPk{*+eW1a2p9ps?K0`wtf3&N#?hiaA-$My^9)}rEg
zIU$w=i7U?5b`{@a%ZA|TIl7Is3GcB5f3R_+p%2zA`A}4ln+{BaMBC6js@>kNPm@S?
zcr%bAftCXt0b%G+H_#SggC<N&5Fx&5qg(_3%Cwq4L-&y^J+z?>nS~viUisu*O&C1~
z$(jO41gA($QvMHurqK61c5g;}Ggn*q+P^d;Y8DQ^R2`}QtYEB=ud@Ls^(8i)Yn9-y
z9z!nK2=?Q}U=1+13SU&H(6B<|i}sqWl`u^(F)$4V31Egu0c8UO0s#d81Rzw5Ry`g6
z%e(!FJe!1Lu`u#a->iC%)K~q7kev11<x>O{Vt<k_V)BV*M<(l99dL*ki8|}m0s<!x
Dkeaug

diff --git a/tck/app-openid3/pom.xml b/tck/app-openid3/pom.xml
index 6da44468..85df9c8a 100644
--- a/tck/app-openid3/pom.xml
+++ b/tck/app-openid3/pom.xml
@@ -124,18 +124,33 @@
                             <target>
                                 <echo level="info">Replacing in ${tomcat.dir}</echo>
 
-                                <replace token="http://localhost:8080" value="https://localhost:8443" dir="${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF" summary="yes">
+                                <replace token="http://localhost:8080" value="https://localhost:8444" dir="${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF" summary="yes">
                                     <include name="server-config.xml" />
                                 </replace>
-                                <replace token="http://localhost/" value="http://localhost:8080/openid-client/Callback" dir="${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF/classes/db/hsql" summary="yes">
-                                    <include name="clients.sql" />
-                                </replace>
+                                <!--
+									 Register the openid-client Callback URL for every slot the
+                                     pool may grow to (= ${maven.degreeOfConcurrency}, ie -TN).
+                                     Mitre rejects redirect_uris not pre-registered, and the
+                                     openid-client may land on any leased slot. Slot N's HTTP
+                                     port = adminBase + (N-1)*portStride + 1.
+                                -->
+                                <exec executable="bash" failonerror="true">
+                                    <arg value="-c"/>
+                                    <arg value="set -e; F='${tomcat.dir}/webapps/openid-connect-server-webapp/WEB-INF/classes/db/hsql/clients.sql'; awk -v base=${gf.pool.adminBase} -v stride=${gf.pool.portStride} -v slots=${maven.degreeOfConcurrency} -v marker=&quot;'http://localhost/'&quot; 'index($0, marker) { for (i=1; i&lt;=slots; i++) { port = base + (i-1)*stride + 1; printf &quot;\t(%cclient%c, %chttp://localhost:%d/openid-client/Callback%c),\n&quot;, 39, 39, 39, port, 39 } next } { print }' &quot;$F&quot; &gt; &quot;${F}.new&quot; &amp;&amp; mv &quot;${F}.new&quot; &quot;$F&quot;"/>
+                                </exec>
                                 
                                 <copy file="server.xml" todir="${tomcat.dir}/conf" verbose="true" overwrite="true" force="true" />
                                 <copy file="localhost-rsa.jks" todir="${tomcat.dir}/conf" verbose="true" />
 
                                 <chmod dir="${tomcat.dir}/bin" perm="ugo+rx" includes="*" />
 
+                                <!--
+									 Drop Tomcat's persisted SESSIONS.ser so a re-run without
+                                     `mvn clean` doesn't resurrect Mitre's "client already
+                                     authorized" session and skip the consent page.
+                                -->
+                                <delete dir="${tomcat.dir}/work" quiet="true"/>
+
                                 <exec executable="${tomcat.dir}/bin/startup.sh" dir="${tomcat.dir}" >
                                     <env key="CATALINA_PID" value="${tomcat.pidfile}" />
                                 </exec>
@@ -167,42 +182,8 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>keytool-maven-plugin</artifactId>
-                <version>2.0.2</version>
-                <executions>
-                    <execution>
-                        <id>import-tomcat-cert</id>
-                        <phase>pre-integration-test</phase>
-                        <goals>
-                            <goal>importCertificate</goal>
-                        </goals>
-                        <configuration>
-                            <file>${project.basedir}/tomcat.cert</file>
-                            <alias>tomcat</alias>
-                            <keystore>${trustStore.path}</keystore>
-                            <storepass>${trustStore.password}</storepass>
-                            <noprompt>true</noprompt>
-                            <trustcacerts>true</trustcacerts>
-                            <verbose>true</verbose>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>delete-tomcat-cert</id>
-                        <phase>post-integration-test</phase>
-                        <goals>
-                            <goal>deleteAlias</goal>
-                        </goals>
-                        <configuration>
-                            <alias>tomcat</alias>
-                            <keystore>${trustStore.path}</keystore>
-                            <storepass>${trustStore.password}</storepass>
-                            <verbose>true</verbose>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
+
+            <!-- NOTE: Tomcat cert import lives in the parent pom (must run before pool:up clones the source GF). -->
         </plugins>
 
         <pluginManagement>
diff --git a/tck/app-openid3/server.xml b/tck/app-openid3/server.xml
index 43188665..e3cff4ab 100644
--- a/tck/app-openid3/server.xml
+++ b/tck/app-openid3/server.xml
@@ -15,7 +15,7 @@
 
 -->
 
-<Server port="8005" shutdown="SHUTDOWN">
+<Server port="8006" shutdown="SHUTDOWN">
 
     <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
     <Listener className="org.apache.catalina.core.AprLifecycleListener" />
@@ -32,7 +32,7 @@
   </GlobalNamingResources>
 
     <Service name="Catalina">
-        <Connector port="8443"
+        <Connector port="8444"
             protocol="org.apache.coyote.http11.Http11NioProtocol"
             maxThreads="150" SSLEnabled="true">
             <SSLHostConfig>
diff --git a/tck/app-openid3/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet.java b/tck/app-openid3/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet.java
index eac9bb24..eb40857c 100644
--- a/tck/app-openid3/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet.java
+++ b/tck/app-openid3/src/main/java/ee/jakarta/tck/security/test/ProtectedServlet.java
@@ -38,7 +38,7 @@
 
     // The Mitre "openid-connect-server-webapp" provider that we deploy via pom.xml
     // The OpenId authentication mechanism directs us to here when logging in.
-    providerURI =  "https://localhost:8443/openid-connect-server-webapp",
+    providerURI =  "https://localhost:8444/openid-connect-server-webapp",
 
     // The ID of default client provided by Mitre.
     // See openid-connect-server-webapp/WEB-INF/classes/db/hsql/clients.sql:
diff --git a/tck/app-openid3/tomcat.cert b/tck/app-openid3/tomcat.cert
index 34ecbe05..8c336d34 100644
--- a/tck/app-openid3/tomcat.cert
+++ b/tck/app-openid3/tomcat.cert
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDeTCCAmGgAwIBAgIIcK6YkkSkzCwwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
+MIIDeTCCAmGgAwIBAgIIA7nA+YhYdgswDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
 BhMCbmwxEDAOBgNVBAgTB2hvbGxhbmQxEjAQBgNVBAcTCWFtc3RlcmRhbTEQMA4G
 A1UEChMHZWNsaXBzZTEQMA4GA1UECxMHamFrYXJ0YTESMBAGA1UEAxMJbG9jYWxo
-b3N0MB4XDTIyMTIwOTIyMjM1OVoXDTIzMDMwOTIyMjM1OVowazELMAkGA1UEBhMC
+b3N0MB4XDTI1MDgwNjE1NTYzOVoXDTM1MDgwNDE1NTYzOVowazELMAkGA1UEBhMC
 bmwxEDAOBgNVBAgTB2hvbGxhbmQxEjAQBgNVBAcTCWFtc3RlcmRhbTEQMA4GA1UE
 ChMHZWNsaXBzZTEQMA4GA1UECxMHamFrYXJ0YTESMBAGA1UEAxMJbG9jYWxob3N0
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyVui1k3XIof7ub0zn8VW
-TRkRHK0cgbPLKRiyv/K4kFANWfsAil8jAkFEMkzCOsAtEGSkb5VtXZPXFKNxqLms
-F4SXZf6BlthVm4Llk/HrBjR1AA4WoRe6GmOtAvJkPzHC18ysQiGT+lODh4Rk3tDn
-R845ACw1dwMXsU1Vku58tbrllqfTFmrLzuOgTMn72RZS4WShvSW9Q2oPzMvX8+xl
-lU6XP0Sg+zfujVj8HVjZWqjbRmhp8AN1tdBKd6tQ97f3cwdHr7NzTaHwEYdu9iSy
-7PXvCsfjcZW03f7urCvVcti7gdqxHpWJxUGZsaah0E+jfdXZ56vHvifKibIlxPwL
-4wIDAQABoyEwHzAdBgNVHQ4EFgQUJOd5/soSTVLtSKFd76h9Aax/qUAwDQYJKoZI
-hvcNAQELBQADggEBAJJNB1Z/wEZh5tP4cPBNxqrvRqhwyTBoQVOfMz44ws16Ephm
-BxquCim/vX/XstbRlxPgV4RUS1UWrvdJYrbZq5b+TNOfEn+Dz1yZ9VTlp1cbGHKG
-a8IcjuQnXxEQYUfA1DeD5uEVoZsOUCw/BU/1pDFVsvxlsGnKvU3q7MD9OyM5Tqz/
-ImKmFTxH1qf9D0lFZj8qzhBONBXh+eEeq64NFNouGr9ya7V8FH2tKmeSXTnSuK/z
-b+VxkfKwogO++JFYoNSifhpKzzPInK9qUsX4xfTLBF2K7THkBbm99wsw8jp4lkd8
-mLifgwyUQJ0zEP7OOkzVSh8/V5gt/N5IcvFFvLk=
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoeMV3BN5XH8XtL4uUuS9
+cRoyfa9hAruDiZlV7X+5atdONZV45IQrz/TpS/a07bPG9iRaqA8i4PSGroADBpuP
+9YtPzqZvGc+OBsISiTW9X6GddC3YHGbfrIcDVx37mbSIXn1NZbpz1FZD8nYOHQEn
+WKwgNcLKHbnMST/Wm8Q9LYjQjWV0Fjg5DEgTi6IDoZV3rTTaiHnxQ+FXy90NmIv/
+fnxtBSDQJ6mEmHDomF4IqFSstM+jQqOpx935q5SuRM9tews+SXjVFg0U8KxcAq9Y
+UZcpTUpWv5DPA7NUkTNAEwGpDhZdCRbMQ+0NrCeesKtT3prBle8u84qn2KgQDkMp
+ywIDAQABoyEwHzAdBgNVHQ4EFgQUlNlERDXVaatRCss/2aSwyEXoc1QwDQYJKoZI
+hvcNAQELBQADggEBAB67LkMg8wIjMaqcjb7QPomkpLp8MDYxwHQrp6pIeJfzqNBQ
+J7TKL4/08LRTShLjYDPUXZ5km9eEBmoTX+wGzw1Lla7mPn7OS+jWbUlMGAVUMJ9K
+vfz7DdRLuFn44kJGJG7Tgan/3mYXwoAKNn9hRuUTRy4gDAecFQkHzAWNCWCQK/eP
+6ZpAWu0sj5vEMmrBlwbUTIUfuAGt55G5g/JWNL6YKXftys6FtawwgpZxxpV/BLMH
+cYW7s5Q6s0rZKvG5fcXsO4T3btw9Eq0U+Ul1DFHXbLOI8r5tSDabZLNIxrqKkrT/
+5Fs8NE6j63mbBfrHGN5MS4mjFh+MqklHotGitp8=
 -----END CERTIFICATE-----
diff --git a/tck/common/src/main/resources/arquillian.xml b/tck/common/src/main/resources/arquillian.xml
index 0c4517c7..b4e728a3 100644
--- a/tck/common/src/main/resources/arquillian.xml
+++ b/tck/common/src/main/resources/arquillian.xml
@@ -22,6 +22,19 @@
 
     <defaultProtocol type="Servlet 3.0"/>
 
+    <!--
+        Pool container. Leases one of the pre-warmed GlassFish slots provisioned
+        by glassfish-pool-maven-plugin. The slot's adminPort/httpPort/etc. are
+        filled in at start() time from the slot's published ports.properties; the
+        only required configuration is poolDir, which is forwarded to the test
+        JVM as the gf.pool.dir system property by the glassfish-ci-managed profile.
+    -->
+    <container qualifier="glassfish-pool" default="true">
+        <configuration>
+            <property name="poolDir">${gf.pool.dir}</property>
+        </configuration>
+    </container>
+
     <container qualifier="liberty">
         <configuration>
             <property name="deployType">xml</property>
diff --git a/tck/pom.xml b/tck/pom.xml
index 8b49f045..dd160bad 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -192,7 +192,29 @@
         <licenseFile>${project.basedir}/LICENSE_EFTL.md</licenseFile>
         <security-api.version>5.0.0-SNAPSHOT</security-api.version>
         <arquillian.version>1.10.1.Final</arquillian.version>
-        
+
+        <!-- GlassFish + arquillian-glassfish-server-pool wiring (used by glassfish-ci-managed) -->
+        <glassfish.version>9.0.0-M2</glassfish.version>
+        <glassfish.arquillian.version>2.1.4-SNAPSHOT</glassfish.arquillian.version>
+        <security.api.update>false</security.api.update>
+        <soteria.update>false</soteria.update>
+        <soteria.version>5.0.0</soteria.version>
+
+        <!-- GlassFish pool layout -->
+        <gf.pool.size>1</gf.pool.size>
+        <gf.pool.dir>${maven.multiModuleProjectDirectory}/target/pool</gf.pool.dir>
+        <gf.pool.dist>${maven.multiModuleProjectDirectory}/target/dist</gf.pool.dist>
+        <gf.pool.source>${gf.pool.dist}/glassfish9</gf.pool.source>
+        <gf.pool.adminBase>14848</gf.pool.adminBase>
+        <gf.pool.portStride>100</gf.pool.portStride>
+        <!--
+			 Source-staging is owned by the parent's antrun below (so it can also import
+             the Mitre cert into cacerts.p12 before the slot clone). GF caches the default
+             SSLContext on first SSL use, so the cert MUST be in the truststore at GF
+             startup; pool-plugin's unpack would happen too late, hence we do it manually.
+        -->
+        <gf.pool.unpack.skip>true</gf.pool.unpack.skip>
+
         <buildDirectory>${project.basedir}/target</buildDirectory>
 
         <!-- Used for OpenID testing with Mitre -->
@@ -400,6 +422,49 @@
                     <artifactId>maven-site-plugin</artifactId>
                     <version>3.21.0</version>
                 </plugin>
+                <plugin>
+                    <groupId>ee.omnifish.arquillian</groupId>
+                    <artifactId>glassfish-pool-maven-plugin</artifactId>
+                    <version>${glassfish.arquillian.version}</version>
+                    <configuration>
+                        <poolDir>${gf.pool.dir}</poolDir>
+                        <poolSource>${gf.pool.source}</poolSource>
+                        <poolSize>${gf.pool.size}</poolSize>
+                        <adminPortBase>${gf.pool.adminBase}</adminPortBase>
+                        <portStride>${gf.pool.portStride}</portStride>
+                        <stageDir>${gf.pool.dist}</stageDir>
+                        <unpackSkip>${gf.pool.unpack.skip}</unpackSkip>
+                        <distribution>
+                            <groupId>org.glassfish.main.distributions</groupId>
+                            <artifactId>glassfish</artifactId>
+                            <version>${glassfish.version}</version>
+                            <type>zip</type>
+                        </distribution>
+                        <overlays>
+                            <overlay>
+                                <groupId>jakarta.security.enterprise</groupId>
+                                <artifactId>jakarta.security.enterprise-api</artifactId>
+                                <version>${security-api.version}</version>
+                                <destFileName>jakarta.security-api.jar</destFileName>
+                                <skip>${security.api.noupdate}</skip>
+                            </overlay>
+                            <overlay>
+                                <groupId>org.glassfish.soteria</groupId>
+                                <artifactId>soteria</artifactId>
+                                <version>${soteria.version}</version>
+                                <destFileName>soteria.jar</destFileName>
+                                <skip>${soteria.noupdate}</skip>
+                            </overlay>
+                            <overlay>
+                                <groupId>org.glassfish.soteria</groupId>
+                                <artifactId>soteria.spi.bean.decorator.weld</artifactId>
+                                <version>${soteria.version}</version>
+                                <destFileName>soteria.spi.bean.decorator.weld.jar</destFileName>
+                                <skip>${soteria.noupdate}</skip>
+                            </overlay>
+                        </overlays>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>
@@ -457,6 +522,8 @@
                 <version>3.5.5</version>
                 <executions>
                     <execution>
+                        <id>aggregate-failsafe-report</id>
+                        <inherited>false</inherited>
                         <phase>post-integration-test</phase>
                         <goals>
                             <goal>failsafe-report-only</goal>
@@ -467,6 +534,26 @@
                     <aggregate>true</aggregate>
                 </configuration>
             </plugin>
+
+            <plugin>
+                <!-- Override the cyclonedx execution inherited from org.eclipse.ee4j:project's 'sbom' profile to run once at root. Skip with -DskipSBOM. -->
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>default</id>
+                        <phase>none</phase>
+                    </execution>
+                    <execution>
+                        <id>aggregate-bom-root</id>
+                        <inherited>false</inherited>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>makeAggregateBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 
@@ -496,24 +583,10 @@
             </activation>
 
             <properties>
-                <glassfish.version>9.0.0-SNAPSHOT</glassfish.version>
-                <glassfish.arquillian.version>2.1.3</glassfish.arquillian.version>
-                <glassfish.port>8080</glassfish.port>
-                <glassfish.dirName>glassfish9</glassfish.dirName>
-                <glassfish.root>${project.build.directory}</glassfish.root>
-                
-                <glassfish.home>${glassfish.root}/${glassfish.dirName}</glassfish.home>
-                <glassfish.javax.net.debug></glassfish.javax.net.debug>
-
-                <trustStore.suffix>p12</trustStore.suffix>
-                <trustStore.path>${glassfish.home}/glassfish/domains/domain1/config/cacerts.${trustStore.suffix}</trustStore.path>
+	            <trustStore.suffix>p12</trustStore.suffix>
+                <trustStore.path>${gf.pool.dir}/slot-1/glassfish/glassfish/domains/domain1/config/cacerts.${trustStore.suffix}</trustStore.path>
                 <trustStore.password>changeit</trustStore.password>
-                
-                <security.api.update>false</security.api.update>
-                
-                <soteria.update>false</soteria.update>
-                <soteria.version>5.0.0</soteria.version>
-                
+
                 <!--
                     Exact artefact used by GlassFish that holds the API classes. The actual API
                     jar in the GlassFish root folder is installed to these coordinates below.
@@ -533,7 +606,7 @@
                 </dependency>
                 <dependency>
                     <groupId>ee.omnifish.arquillian</groupId>
-                    <artifactId>arquillian-glassfish-server-managed</artifactId>
+                    <artifactId>arquillian-glassfish-server-pool</artifactId>
                     <version>${glassfish.arquillian.version}</version>
                     <scope>test</scope>
                 </dependency>
@@ -563,135 +636,115 @@
                                     </properties>
                                 </configuration>
                             </execution>
-                        </executions>
-                    </plugin>
-                    
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-dependency-plugin</artifactId>
-                        <executions>
+                            <!--
+								 Expose Maven's -TN value (default 1) as a top-level project
+                                 property so antrun's <exec> args can interpolate it; Maven
+                                 only resolves ${session.request.X} bean expressions when
+                                 reading typed Plexus parameters (like this <source> String).
+                            -->
                             <execution>
-                                <id>unpack</id>
-                                <phase>process-test-classes</phase>
-                                <goals>
-                                    <goal>unpack</goal>
-                                </goals>
-                                <configuration>
-                                    <skip>${skipITs}</skip>
-                                    <outputDirectory>${glassfish.root}</outputDirectory>
-                                    <markersDirectory>${glassfish.root}/dependency-maven-plugin-markers</markersDirectory>
-                                    <artifactItems>
-                                        <artifactItem>
-                                            <groupId>org.glassfish.main.distributions</groupId>
-                                            <artifactId>glassfish</artifactId>
-                                            <version>${glassfish.version}</version>
-                                            <type>zip</type>
-                                            <overWrite>true</overWrite>
-                                            <outputDirectory>${glassfish.root}</outputDirectory>
-                                        </artifactItem>
-                                    </artifactItems>
-                                </configuration>
-                            </execution>
-                            
-                            <!-- Optionally update Security API jar in GlassFish -->
-                            <execution>
-                                <id>update-security-api</id>
-                                <phase>process-test-classes</phase>
+                                <id>expose-degree-of-concurrency</id>
+                                <phase>initialize</phase>
                                 <goals>
-                                    <goal>copy</goal>
+                                    <goal>bsh-property</goal>
                                 </goals>
                                 <configuration>
-                                    <skip>${security.api.noupdate}</skip>
-                                    <artifactItems>
-                                        <artifactItem>
-                                            <groupId>jakarta.security.enterprise</groupId>
-                                            <artifactId>jakarta.security.enterprise-api</artifactId>
-                                            <version>${security-api.version}</version>
-                                            <type>jar</type>
-                                            <overWrite>true</overWrite>
-                                            <outputDirectory>${glassfish.root}/glassfish9/glassfish/modules</outputDirectory>
-                                            <destFileName>jakarta.security-api.jar</destFileName>
-                                        </artifactItem>
-                                    </artifactItems>
+                                    <source>
+                                        maven.degreeOfConcurrency = ${session.request.degreeOfConcurrency};
+                                    </source>
+                                    <properties>
+                                        <property>maven.degreeOfConcurrency</property>
+                                    </properties>
                                 </configuration>
                             </execution>
+                        </executions>
+                    </plugin>
 
-                            <!-- Optionally update Security IMPL (Soteria) jar in GlassFish -->
+                    <!--
+						 Resolve the GF dist into the local Maven repo so the antrun below
+                         can extract it. dependency:get's resolver is thread-safe under -T.
+                    -->
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
                             <execution>
-                                <id>update-security-impl</id>
-                                <phase>process-test-classes</phase>
-                                <goals>
-                                    <goal>copy</goal>
-                                </goals>
+                                <id>resolve-glassfish-dist</id>
+                                <phase>validate</phase>
+                                <goals><goal>get</goal></goals>
                                 <configuration>
-                                    <skip>${soteria.noupdate}</skip>
-                                    <artifactItems>
-                                        <artifactItem>
-                                            <groupId>org.glassfish.soteria</groupId>
-                                            <artifactId>soteria</artifactId>
-                                            <version>${soteria.version}</version>
-                                            <type>jar</type>
-                                            <overWrite>true</overWrite>
-                                            <outputDirectory>${glassfish.root}/glassfish9/glassfish/modules</outputDirectory>
-                                            <destFileName>soteria.jar</destFileName>
-                                        </artifactItem>
-                                        <artifactItem>
-                                            <groupId>org.glassfish.soteria</groupId>
-                                            <artifactId>soteria.spi.bean.decorator.weld</artifactId>
-                                            <version>${soteria.version}</version>
-                                            <type>jar</type>
-                                            <overWrite>true</overWrite>
-                                            <outputDirectory>${glassfish.root}/glassfish9/glassfish/modules</outputDirectory>
-                                            <destFileName>soteria.spi.bean.decorator.weld.jar</destFileName>
-                                        </artifactItem>
-                                    </artifactItems>
+                                    <artifact>org.glassfish.main.distributions:glassfish:${glassfish.version}:zip</artifact>
                                 </configuration>
                             </execution>
                         </executions>
                     </plugin>
+
+                    <!--
+						 Stage the source GF before pool:up clones slots:
+                         (a) unzip the dist (pool plugin's own unpack is disabled — see
+                             gf.pool.unpack.skip);
+                         (b) import the Mitre cert into cacerts.p12 — must be in the
+                             truststore at GF startup since the default SSLContext is
+                             loaded once and never reloads from disk;
+                         (c) set -Djavax.net.ssl.trustStorePassword on the GF JVM via
+                             domain.xml — the PKCS12 truststore reads zero trust anchors
+                             without it.
+                         Inherited because Maven -T schedules parent and children in
+                         parallel; the lock + marker make the work happen exactly once.
+                    -->
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-antrun-plugin</artifactId>
                         <version>3.0.0</version>
                         <executions>
                             <execution>
-                                <id>set-port</id>
-                                <phase>pre-integration-test</phase>
-                                <goals>
-                                    <goal>run</goal>
-                                </goals>
+                                <id>prepare-source-glassfish</id>
+                                <phase>validate</phase>
+                                <goals><goal>run</goal></goals>
                                 <configuration>
-                                    <skip>${skipITs}</skip>
                                     <target>
-                                        <echo level="info">Replacing in ${glassfish.home}</echo>
-                                        <replace token="8080"
-                                            value="${glassfish.port}"
-                                            dir="${glassfish.home}/glassfish/domains/domain1/config/"
-                                            summary="yes">
-                                            <include name="domain.xml" />
-                                        </replace>
+                                        <exec executable="bash" failonerror="true">
+                                            <arg value="-c"/>
+                                            <arg value="set -e; mkdir -p '${gf.pool.dist}'; LOCK='${gf.pool.dist}/.staging.lock.d'; MARKER='${gf.pool.dist}/.staging.done'; while ! mkdir &quot;$LOCK&quot; 2&gt;/dev/null; do sleep 0.2; done; trap 'rmdir &quot;$LOCK&quot;' EXIT; if [ -f &quot;$MARKER&quot; ]; then exit 0; fi; ZIP='${settings.localRepository}/org/glassfish/main/distributions/glassfish/${glassfish.version}/glassfish-${glassfish.version}.zip'; cd '${gf.pool.dist}'; unzip -q -o &quot;$ZIP&quot;; K='${gf.pool.source}/glassfish/domains/domain1/config/cacerts.${trustStore.suffix}'; C='${maven.multiModuleProjectDirectory}/app-openid2/tomcat.cert'; D='${gf.pool.source}/glassfish/domains/domain1/config/domain.xml'; keytool -importcert -keystore &quot;$K&quot; -storepass changeit -alias tomcat -file &quot;$C&quot; -noprompt -trustcacerts; awk '/javax.net.ssl.trustStore=/{print; print &quot;        &lt;jvm-options&gt;-Djavax.net.ssl.trustStorePassword=changeit&lt;/jvm-options&gt;&quot;; next}1' &quot;$D&quot; &gt; &quot;${D}.new&quot; &amp;&amp; mv &quot;${D}.new&quot; &quot;$D&quot;; touch &quot;$MARKER&quot;"/>
+                                        </exec>
                                     </target>
                                 </configuration>
                             </execution>
                         </executions>
                     </plugin>
-                    
+
+                    <plugin>
+                        <groupId>ee.omnifish.arquillian</groupId>
+                        <artifactId>glassfish-pool-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>pool-up</id>
+                                <phase>initialize</phase>
+                                <goals><goal>up</goal></goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+
                     <!--
-                        Installs the jakarta.security.enterprise.jar from GF on the filesystem to the
-                        coordinates expected by the signature test.
+						 Install the jakarta.security.enterprise-api.jar from the pooled GF
+                         under the coordinates security-signaturetest declares. Aggregator
+                         goal: bind once at the root. security-signaturetest is the last
+                         reactor module, so the artifact is in the local repo by the time
+                         its dep resolution runs.
                     -->
                     <plugin>
                         <artifactId>maven-install-plugin</artifactId>
                         <version>3.1.4</version>
                         <executions>
                             <execution>
-                                <id>unpack</id>
-                                <phase>pre-integration-test</phase>
+                                <id>install-vendor-api</id>
+                                <inherited>false</inherited>
+                                <phase>initialize</phase>
                                 <goals>
                                     <goal>install-file</goal>
                                 </goals>
                                 <configuration>
-                                    <file>${glassfish.root}/glassfish9/glassfish/modules/jakarta.security.enterprise-api.jar</file>
+                                    <file>${gf.pool.source}/glassfish/modules/jakarta.security.enterprise-api.jar</file>
                                     <groupId>${sigtest.api.groupId}</groupId>
                                     <artifactId>${sigtest.api.artifactId}</artifactId>
                                     <version>${sigtest.api.version}</version>
@@ -700,19 +753,18 @@
                             </execution>
                         </executions>
                     </plugin>
-                    
+
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
                         <configuration>
                             <systemPropertyVariables>
-                                <glassfish.home>${glassfish.home}</glassfish.home>
+                                <gf.pool.dir>${gf.pool.dir}</gf.pool.dir>
+                                <gf.pool.source>${gf.pool.source}</gf.pool.source>
+                                <gf.pool.adminBase>${gf.pool.adminBase}</gf.pool.adminBase>
+                                <gf.pool.portStride>${gf.pool.portStride}</gf.pool.portStride>
                                 <javax.net.ssl.trustStore>${trustStore.path}</javax.net.ssl.trustStore>
                                 <javax.net.ssl.trustStorePassword>${trustStore.password}</javax.net.ssl.trustStorePassword>
-                                <glassfish.systemProperties>
-                                    javax.net.debug=${glassfish.javax.net.debug}
-                                    javax.net.ssl.trustStorePassword=${trustStore.password}
-                                </glassfish.systemProperties>
                             </systemPropertyVariables>
                         </configuration>
                     </plugin>

From 23507635a351dcc9c5556c5f000def859f3607c1 Mon Sep 17 00:00:00 2001
From: Bauke Scholtz <balusc@gmail.com>
Date: Mon, 11 May 2026 07:36:03 -0400
Subject: [PATCH 2/6] Use glassfish-pool's native systemProperties for
 trustStorePassword
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drops the awk hack that injected
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
into the source domain.xml from antrun. The pool plugin now exposes
<systemProperties> natively (mirroring arquillian-glassfish-server-managed),
so we configure it via plugin <configuration> instead of post-processing
the staged dist by hand.

The antrun staging step still does the unzip + Mitre cert import — the
cert is TCK-specific and can't move into the pool plugin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 tck/pom.xml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/tck/pom.xml b/tck/pom.xml
index dd160bad..afb3635e 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -680,17 +680,12 @@
                     </plugin>
 
                     <!--
-						 Stage the source GF before pool:up clones slots:
-                         (a) unzip the dist (pool plugin's own unpack is disabled — see
-                             gf.pool.unpack.skip);
-                         (b) import the Mitre cert into cacerts.p12 — must be in the
-                             truststore at GF startup since the default SSLContext is
-                             loaded once and never reloads from disk;
-                         (c) set -Djavax.net.ssl.trustStorePassword on the GF JVM via
-                             domain.xml — the PKCS12 truststore reads zero trust anchors
-                             without it.
-                         Inherited because Maven -T schedules parent and children in
-                         parallel; the lock + marker make the work happen exactly once.
+						 Stage the source GF before pool:up clones slots: unzip the dist
+                         and import the Mitre cert into cacerts.p12. The cert must be in
+                         the truststore at GF startup since the default SSLContext is
+                         loaded once and never reloads from disk. Inherited because Maven
+                         -T schedules parent and children in parallel; the lock + marker
+                         make the work happen exactly once.
                     -->
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
@@ -705,7 +700,7 @@
                                     <target>
                                         <exec executable="bash" failonerror="true">
                                             <arg value="-c"/>
-                                            <arg value="set -e; mkdir -p '${gf.pool.dist}'; LOCK='${gf.pool.dist}/.staging.lock.d'; MARKER='${gf.pool.dist}/.staging.done'; while ! mkdir &quot;$LOCK&quot; 2&gt;/dev/null; do sleep 0.2; done; trap 'rmdir &quot;$LOCK&quot;' EXIT; if [ -f &quot;$MARKER&quot; ]; then exit 0; fi; ZIP='${settings.localRepository}/org/glassfish/main/distributions/glassfish/${glassfish.version}/glassfish-${glassfish.version}.zip'; cd '${gf.pool.dist}'; unzip -q -o &quot;$ZIP&quot;; K='${gf.pool.source}/glassfish/domains/domain1/config/cacerts.${trustStore.suffix}'; C='${maven.multiModuleProjectDirectory}/app-openid2/tomcat.cert'; D='${gf.pool.source}/glassfish/domains/domain1/config/domain.xml'; keytool -importcert -keystore &quot;$K&quot; -storepass changeit -alias tomcat -file &quot;$C&quot; -noprompt -trustcacerts; awk '/javax.net.ssl.trustStore=/{print; print &quot;        &lt;jvm-options&gt;-Djavax.net.ssl.trustStorePassword=changeit&lt;/jvm-options&gt;&quot;; next}1' &quot;$D&quot; &gt; &quot;${D}.new&quot; &amp;&amp; mv &quot;${D}.new&quot; &quot;$D&quot;; touch &quot;$MARKER&quot;"/>
+                                            <arg value="set -e; mkdir -p '${gf.pool.dist}'; LOCK='${gf.pool.dist}/.staging.lock.d'; MARKER='${gf.pool.dist}/.staging.done'; while ! mkdir &quot;$LOCK&quot; 2&gt;/dev/null; do sleep 0.2; done; trap 'rmdir &quot;$LOCK&quot;' EXIT; if [ -f &quot;$MARKER&quot; ]; then exit 0; fi; ZIP='${settings.localRepository}/org/glassfish/main/distributions/glassfish/${glassfish.version}/glassfish-${glassfish.version}.zip'; cd '${gf.pool.dist}'; unzip -q -o &quot;$ZIP&quot;; K='${gf.pool.source}/glassfish/domains/domain1/config/cacerts.${trustStore.suffix}'; C='${maven.multiModuleProjectDirectory}/app-openid2/tomcat.cert'; keytool -importcert -keystore &quot;$K&quot; -storepass changeit -alias tomcat -file &quot;$C&quot; -noprompt -trustcacerts; touch &quot;$MARKER&quot;"/>
                                         </exec>
                                     </target>
                                 </configuration>
@@ -716,6 +711,11 @@
                     <plugin>
                         <groupId>ee.omnifish.arquillian</groupId>
                         <artifactId>glassfish-pool-maven-plugin</artifactId>
+                        <configuration>
+                            <systemProperties>
+                                javax.net.ssl.trustStorePassword=${trustStore.password}
+                            </systemProperties>
+                        </configuration>
                         <executions>
                             <execution>
                                 <id>pool-up</id>

From 30de59e83631dcdb5d10ef1be79150f2020e02b4 Mon Sep 17 00:00:00 2001
From: Bauke Scholtz <balusc@gmail.com>
Date: Mon, 11 May 2026 08:00:01 -0400
Subject: [PATCH 3/6] Revert GF 9.0.0-M2 to SNAPSHOT

---
 tck/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tck/pom.xml b/tck/pom.xml
index afb3635e..05065f71 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -194,7 +194,7 @@
         <arquillian.version>1.10.1.Final</arquillian.version>
 
         <!-- GlassFish + arquillian-glassfish-server-pool wiring (used by glassfish-ci-managed) -->
-        <glassfish.version>9.0.0-M2</glassfish.version>
+        <glassfish.version>9.0.0-SNAPSHOT</glassfish.version>
         <glassfish.arquillian.version>2.1.4-SNAPSHOT</glassfish.arquillian.version>
         <security.api.update>false</security.api.update>
         <soteria.update>false</soteria.update>

From f014379ac45575de00257f58c3aa5fe67bf2a7e8 Mon Sep 17 00:00:00 2001
From: Bauke Scholtz <balusc@gmail.com>
Date: Mon, 11 May 2026 10:52:43 -0400
Subject: [PATCH 4/6] Drop unnecessary per-module JNDI suffix workaround
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reverts the @DataSourceDefinition(name = "java:global/securityAPIDB-<suffix>")
workaround in 14 app-db-* modules — restores the shared
"java:global/securityAPIDB" name and drops README rule #1.

The workaround was added during the arquillian-glassfish-server-pool
migration to dodge cross-module GeneralError failures. The actual root
cause turned out to be an upstream GlassFish bug in
ComponentEnvManagerImpl.getResourceId returning "" for ScopeType.GLOBAL,
causing every app declaring the same java:global/X to share one physical
connection pool — see BalusC/glassfish branch
scope-global-resource-pools-per-app for the fix.

With patched GlassFish in place the suffix is no longer needed; both
sequential and -T8 parallel reactor runs pass with the shared name.
README rules 2-6 renumbered to 1-5.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 tck/README.md                                 | 32 +++----------------
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 .../tck/security/test/DatabaseSetup.java      |  4 +--
 .../test/ServletForDatabaseIDStore.java       |  2 +-
 28 files changed, 46 insertions(+), 68 deletions(-)

diff --git a/tck/README.md b/tck/README.md
index ec8413cd..1f82ab9c 100644
--- a/tck/README.md
+++ b/tck/README.md
@@ -70,29 +70,7 @@ The pool itself is parallel-safe (`PoolBootstrap.up` is JVM-wide synchronized
 have to follow a few rules to be `-T`-safe. Existing modules already comply;
 when adding a new one, check the points below.
 
-### 1. No global JNDI collisions
-
-Each test JVM gets a fresh `@Deployment` (Arquillian deploys → runs → undeploys),
-but a single pool slot's GlassFish JVM hosts many such deploys sequentially over
-its lifetime. Resource definitions (`@DataSourceDefinition`, etc.) bound under
-`java:global/<name>` are visible to GF's connector subsystem across deploys,
-so two modules using the same `java:global/<name>` can race through CDI bean
-discovery + JCA registration. Suffix the name with the module identifier so
-each module owns its own JNDI namespace.
-
-```java
-// BAD — every app-db-* module would share the same binding
-@DataSourceDefinition(name = "java:global/securityAPIDB", ...)
-
-// GOOD — module-suffixed
-@DataSourceDefinition(name = "java:global/securityAPIDB-priorityuseforexpr", ...)
-```
-
-The matching `@Resource(lookup = ...)` and any
-`@DatabaseIdentityStoreDefinition(dataSourceLookup = ...)` need to use the
-same suffixed name.
-
-### 2. No host-port collisions across modules
+### 1. No host-port collisions across modules
 
 Modules that start an embedded server bound to `localhost:<port>` (UnboundID
 LDAP, Tomcat for the Mitre OP, …) must each pick a distinct port. Under `-T`
@@ -109,7 +87,7 @@ Conventions in use:
   annotation + the antrun `<replace token="http://localhost:8080" value="…">`
   in sync.
 
-### 3. No assumption that GF runs on a known port
+### 2. No assumption that GF runs on a known port
 
 Pool slots get ports from `adminBase + (slot-1) * portStride` (default
 14848 + N*100), and a test JVM may lease any slot. Do NOT hardcode a slot's
@@ -120,7 +98,7 @@ use an EL expression backed by a `@RequestScoped`/`@Dependent` CDI bean that
 reads `request.getServerName()/getServerPort()` at request time —
 `app-openid`'s `OpenIdConfig.getProviderURI()` is the reference.
 
-### 4. Pre-register every slot when an external service validates redirect URIs
+### 3. Pre-register every slot when an external service validates redirect URIs
 
 When a third-party server (e.g. Mitre OP) validates redirect URIs against a
 fixed allowlist, register one entry per *possible* slot. The openid-client
@@ -131,7 +109,7 @@ pool's `adminBase` + `portStride` — that property is Maven's `-TN` value
 (defaults to 1) and is also the upper bound on how far the pool can grow,
 since each Maven thread leases at most one slot at a time.
 
-### 5. Wipe Tomcat `work/` before startup
+### 4. Wipe Tomcat `work/` before startup
 
 If a module starts its own Tomcat in pre-integration-test, add
 `<delete dir="${tomcat.dir}/work" quiet="true"/>` to the antrun *before*
@@ -141,7 +119,7 @@ them at startup; without the wipe, a re-run without `mvn clean` resurrects
 the previous run's sessions and can skip flows the test depends on (e.g.
 the OpenID consent page).
 
-### 6. Don't race on shared paths in a `<plugins>` execution
+### 5. Don't race on shared paths in a `<plugins>` execution
 
 Anything inheritable that writes to `${maven.multiModuleProjectDirectory}/…`
 runs once per module under `-T` and races. The parent's source-staging step
diff --git a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 51b155be..0d62604f 100644
--- a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-basic",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-basic;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-basic")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index c613ba8d..8c35d24c 100644
--- a/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-basic/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -28,7 +28,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-basic",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class)
diff --git a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index f287a97f..d15945ac 100644
--- a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -41,7 +41,7 @@
  * and key sizes so {@code verify(...)} reads them per row.
  */
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-hashalgorithm",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-hashalgorithm;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -49,7 +49,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-hashalgorithm")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index ad5d971a..32b9765b 100644
--- a/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-hashalgorithm/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * iterations, and salt/key sizes per row.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-hashalgorithm",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = Pbkdf2PasswordHash.class)
diff --git a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 0eba262b..3b4caded 100644
--- a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -40,7 +40,7 @@
  * reads parameters back from the encoded hash.
  */
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-hashalgorithmparam",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-hashalgorithmparam;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -48,7 +48,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-hashalgorithmparam")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index d667b09d..530e9862 100644
--- a/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-hashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * hashed under different parameter sets.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-hashalgorithmparam",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = Pbkdf2PasswordHash.class,
diff --git a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 471ec012..7132cc1f 100644
--- a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-invalidcallerquery",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidcallerquery;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-invalidcallerquery")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 19e0a6c7..ba7a4ed3 100644
--- a/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidcallerquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -33,7 +33,7 @@
  * "Exception received." in the response body.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-invalidcallerquery",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select invalid from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class)
diff --git a/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index d3ba6c2d..5c963457 100644
--- a/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invaliddatasource/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-invaliddatasource",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invaliddatasource;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-invaliddatasource")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 93af0a0e..17737280 100644
--- a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-invalidgroupsquery",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidgroupsquery;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-invalidgroupsquery")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 16ac57d9..c3e1d611 100644
--- a/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidgroupsquery/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -33,7 +33,7 @@
  * as "Exception received." in the response body.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-invalidgroupsquery",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select invalid from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class)
diff --git a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 175fa1f7..42da84bc 100644
--- a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -40,7 +40,7 @@
  * Pbkdf2 self-describing hash format.
  */
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-invalidhashalgorithmparam",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidhashalgorithmparam;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -48,7 +48,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-invalidhashalgorithmparam")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 557110bf..efae7634 100644
--- a/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidhashalgorithmparam/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -36,7 +36,7 @@
  * users still validate.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-invalidhashalgorithmparam",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = Pbkdf2PasswordHash.class,
diff --git a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 3e592de0..a87062a4 100644
--- a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-invalidpriorityuseforexpr",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-invalidpriorityuseforexpr;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-invalidpriorityuseforexpr")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index f0319377..a072e8e6 100644
--- a/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-invalidpriorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * "Exception received." in the response body.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-invalidpriorityuseforexpr",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index dcf35e20..f306ad48 100644
--- a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-multi",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-multi;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-multi")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index c09b2ced..d95b426d 100644
--- a/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-multi/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -39,7 +39,7 @@
  * "two stores at different priorities" assertion semantics.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-multi",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     priority = 200,
diff --git a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index cef3806b..1566eb9f 100644
--- a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-notvalidated",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-notvalidated;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-notvalidated")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 2e798f05..d53e8be2 100644
--- a/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-notvalidated/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -33,7 +33,7 @@
  * credentials so any call to validate() returns NOT_VALIDATED.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-notvalidated",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     hashAlgorithm = TestPlaintextPasswordHash.class,
diff --git a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index f73597e1..51452260 100644
--- a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-priorityuseforexpr",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-priorityuseforexpr;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-priorityuseforexpr")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 76b7e25d..40e1d2f6 100644
--- a/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-priorityuseforexpr/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -36,7 +36,7 @@
  * {@link IdentityStore1}.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-priorityuseforexpr",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 65f3e4c1..90c6225c 100644
--- a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-priorityuseforexprbean",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-priorityuseforexprbean;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-priorityuseforexprbean")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index b7811582..6cfb197c 100644
--- a/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-priorityuseforexprbean/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * useFor {VALIDATE, PROVIDE_GROUPS}.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-priorityuseforexprbean",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },
diff --git a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 8df91f71..27377887 100644
--- a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-useforgroup",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-useforgroup;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-useforgroup")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 8774e394..cc15d877 100644
--- a/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-useforgroup/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -35,7 +35,7 @@
  * complete the chain.
  */
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-useforgroup",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.PROVIDE_GROUPS },
diff --git a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
index 010337dd..042db4e6 100644
--- a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
+++ b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/DatabaseSetup.java
@@ -30,7 +30,7 @@
 import javax.sql.DataSource;
 
 @DataSourceDefinition(
-    name = "java:global/securityAPIDB-useforvalidation",
+    name = "java:global/securityAPIDB",
     className = "org.h2.jdbcx.JdbcDataSource",
     url = "jdbc:h2:~/SoteriaTestDB-db-useforvalidation;DB_CLOSE_ON_EXIT=FALSE"
 )
@@ -38,7 +38,7 @@
 @Startup
 public class DatabaseSetup {
 
-    @Resource(lookup = "java:global/securityAPIDB-useforvalidation")
+    @Resource(lookup = "java:global/securityAPIDB")
     private DataSource dataSource;
 
     @PostConstruct
diff --git a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
index 9a80ec9c..a3085256 100644
--- a/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
+++ b/tck/app-db-useforvalidation/src/main/java/ee/jakarta/tck/security/test/ServletForDatabaseIDStore.java
@@ -29,7 +29,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 @DatabaseIdentityStoreDefinition(
-    dataSourceLookup = "java:global/securityAPIDB-useforvalidation",
+    dataSourceLookup = "java:global/securityAPIDB",
     callerQuery = "select password from caller where name = ?",
     groupsQuery = "select group_name from caller_groups where caller_name = ?",
     useFor = { ValidationType.VALIDATE },

From 8ca29ad66ee386c6d3539b477d884fc37cffdecd Mon Sep 17 00:00:00 2001
From: Bauke Scholtz <balusc@gmail.com>
Date: Thu, 21 May 2026 08:04:37 -0400
Subject: [PATCH 5/6] Bump arquillian-glassfish-server-pool to 2.2.0-SNAPSHOT

Picks up the SlotLeaser fix for a race in tryGrow's recycle path: two
test JVMs could pick the same dead-but-still-listed slot and run
PoolProvisioner.provisionSlot concurrently, surfacing as
NoSuchFileException in deleteRecursive racing with the parallel clone's
Files.createLink. See arquillian-container-glassfish PR.

The race only triggers when prior GF processes died but slot dirs
persisted (CI, reboot, pkill), so a hot pool kept alive between reactor
runs masks it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 tck/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tck/pom.xml b/tck/pom.xml
index 05065f71..f7d8c976 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -195,7 +195,7 @@
 
         <!-- GlassFish + arquillian-glassfish-server-pool wiring (used by glassfish-ci-managed) -->
         <glassfish.version>9.0.0-SNAPSHOT</glassfish.version>
-        <glassfish.arquillian.version>2.1.4-SNAPSHOT</glassfish.arquillian.version>
+        <glassfish.arquillian.version>2.2.0-SNAPSHOT</glassfish.arquillian.version>
         <security.api.update>false</security.api.update>
         <soteria.update>false</soteria.update>
         <soteria.version>5.0.0</soteria.version>

From 1d4a8dd13a39aabaa546b0c74d74dadc1f15e1af Mon Sep 17 00:00:00 2001
From: Bauke Scholtz <balusc@gmail.com>
Date: Thu, 21 May 2026 11:32:21 -0400
Subject: [PATCH 6/6] Forward gf.pool.restartOnRelease to test JVMs

Plumbs the new arquillian-glassfish-server-pool restartOnRelease
flag through: defaults to false at the parent level, exposed as a
sysprop on the glassfish-ci-managed profile's failsafe so individual
modules can flip it via a one-line <properties> override when their
tests leak GF JVM-scoped state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 tck/pom.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tck/pom.xml b/tck/pom.xml
index f7d8c976..bed6cb73 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -214,6 +214,7 @@
              startup; pool-plugin's unpack would happen too late, hence we do it manually.
         -->
         <gf.pool.unpack.skip>true</gf.pool.unpack.skip>
+        <gf.pool.restartOnRelease>false</gf.pool.restartOnRelease>
 
         <buildDirectory>${project.basedir}/target</buildDirectory>
 
@@ -763,6 +764,7 @@
                                 <gf.pool.source>${gf.pool.source}</gf.pool.source>
                                 <gf.pool.adminBase>${gf.pool.adminBase}</gf.pool.adminBase>
                                 <gf.pool.portStride>${gf.pool.portStride}</gf.pool.portStride>
+                                <gf.pool.restartOnRelease>${gf.pool.restartOnRelease}</gf.pool.restartOnRelease>
                                 <javax.net.ssl.trustStore>${trustStore.path}</javax.net.ssl.trustStore>
                                 <javax.net.ssl.trustStorePassword>${trustStore.password}</javax.net.ssl.trustStorePassword>
                             </systemPropertyVariables>