Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator 🌩️ Cloud Computing Basics
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series πŸ” Preparing WinRM on Windows Server over HTTPS for Automation (5986) πŸ” WAS Service Restart Using WinRM over HTTPS (5986) on Azure DevOps
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
🏒 Enterprise Authentication & Identity Security Series πŸ” Part 1 - What is Authentication? πŸ†” Part 2 - Sessions, Cookies & JSESSIONID ⚖️ Part 3 - Stateful vs Stateless Applications 🎫 Part 4 - JWT (JSON Web Token) & Token-Based Authentication πŸ“Š Part 5 - JWT vs Session vs Cookies Explained πŸšͺ Part 6 - API Authentication & API Gateway Security πŸ”„ Part 7 - OAuth2, OIDC & SAML Explained ☁️ Part 8 - SSO (Single Sign-On), MFA & Microsoft Entra ID 🟦 Part 9 - WebSphere LTPA, Sticky Sessions & Session Replication πŸ›‘️ Part 10 - Zero Trust Security & Authentication Risks
Showing posts with label Authentication Series. Show all posts
Showing posts with label Authentication Series. Show all posts

15 Jun 2026

🏒 Enterprise Authentication & Identity Security Series

πŸ” Authentication & Identity Security Series for Middleware, DevOps & Cloud Engineers

Welcome to the Authentication & Identity Security Series

This 10-part series is designed for Middleware Engineers, DevOps Engineers, Cloud Engineers, Security Engineers and Application Support Teams who want to understand modern authentication, authorization, API security, identity management, and Zero Trust architecture.

Whether you work with WebSphere, JBoss, Tomcat, Microsoft Entra ID, Azure, APIs, or enterprise applications, this series will help you understand authentication from traditional session-based applications to modern cloud-native identity platforms.

πŸ“š Complete Authentication & Identity Security Roadmap

Part Topic Summary
Part 1 πŸ” What is Authentication? Authentication basics, Authorization, login flow, and modern authentication concepts.
Part 2 πŸ†” Sessions, Cookies & JSESSIONID Learn how applications maintain user state using sessions, cookies, and JSESSIONID.
Part 3 ⚖️ Stateful vs Stateless Applications Understand traditional session-based applications versus stateless cloud-native applications.
Part 4 🎫 JWT & Token-Based Authentication JWT structure, bearer tokens, access tokens, refresh tokens, and token-based security.
Part 5 πŸ“Š JWT vs Session vs Cookies Explained Compare Sessions, Cookies, and JWT authentication mechanisms.
Part 6 πŸšͺ API Authentication & API Gateway Security API keys, OAuth2, JWT validation, API gateways, and enterprise API security.
Part 7 πŸ”„ OAuth2, OIDC & SAML Explained Enterprise identity protocols used in SSO and federation.
Part 8 ☁️ SSO, MFA & Microsoft Entra ID Single Sign-On, Multi-Factor Authentication, Conditional Access, and Entra ID.
Part 9 🟦 WebSphere LTPA, Sticky Sessions & Session Replication Enterprise middleware authentication, clustering, session management, and high availability.
Part 10 πŸ›‘️ Zero Trust Security & Authentication Risks Zero Trust, Zscaler, PAM, SIEM, phishing, token theft, and modern security controls.

πŸ“Œ Key Technologies Covered

Category Technologies / Concepts Purpose
Authentication Authentication, Authorization User identity verification and access control
Session Management Sessions, Cookies, JSESSIONID Maintaining user state in web applications
Token Security JWT, Access Tokens, Refresh Tokens Stateless authentication and API security
Identity Protocols OAuth2, OIDC, SAML Enterprise identity federation and authentication
Identity Management SSO, MFA, Microsoft Entra ID Identity governance and access management
API Security API Authentication, API Gateway Protecting APIs and microservices
Middleware Security WebSphere LTPA, Sticky Sessions, Session Replication Middleware authentication and high availability
Cloud Security Conditional Access, Risk-Based Authentication Cloud-native security controls
Zero Trust ZTNA, SASE, Zero Trust Architecture Identity-driven security model
Security Platforms Zscaler, CyberArk, BeyondTrust Enterprise security and PAM solutions
Monitoring SIEM, Microsoft Sentinel, Splunk, QRadar Security monitoring and threat detection
Middleware Platforms WebSphere, JBoss, Tomcat Enterprise application hosting platforms

🎯 Who Should Read This Series?

  • Middleware Engineers
  • WebSphere Administrators
  • JBoss Administrators
  • Tomcat Administrators
  • DevOps Engineers
  • Cloud Engineers
  • Azure Administrators
  • Security Engineers
  • Application Support Teams
  • Solution Architects

πŸš€ Start Learning

New to Authentication and Identity Security? Start with:

πŸ‘‰ Part 1 - What is Authentication?

Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , , , , , , , ,

πŸͺ Sessions, Cookies & JSESSIONID Explained - Part 2

Sessions, Cookies & JSESSIONID Explained
  • Welcome to Part 2 of the Authentication & Identity Security series.
  • This article explains how applications remember users after successful login.
  • Designed for Middleware, DevOps, Cloud, and Application Support Engineers.
  • Includes enterprise examples using WebSphere, Tomcat, JBoss, IBM HTTP Server, NGINX, and Load Balancers.

Table of Contents

Introduction

In Part 1, we learned that authentication verifies a user's identity. After authentication is successful, the next important question is: how does the application remember the same user during future requests?

This is where Sessions, Cookies, and JSESSIONID come into the picture. These components help enterprise applications maintain user identity after login without asking the user to authenticate again on every page.

Key Concept:
Authentication verifies the user once, while session management maintains the user's identity throughout the application journey.

What is a Session?

A session is a server-side mechanism used to store user-specific information after successful authentication.

When a user logs in, the application server creates a unique session for that user. The session may store information such as:

  • User ID
  • User role
  • Login time
  • Application permissions
  • User preferences

The session remains active until one of the following events occurs:

  • User logs out
  • Session timeout occurs
  • Application server restarts
  • Session is invalidated by the application
Middleware View:
In WebSphere, JBoss, and Tomcat, sessions are usually stored in application server memory unless session persistence or replication is configured.

How Do WebSphere, JBoss, Tomcat & Docker Store Session Data?

By default, Java application servers store session data in JVM heap memory. The browser only stores the session identifier (JSESSIONID), while the actual user session data remains on the application server.

Platform Default Session Storage High Availability Options
IBM WebSphere JVM Heap Memory Memory-to-Memory Replication, Database Persistence
JBoss EAP / WildFly JVM Heap Memory Session Replication, Infinispan Cache
Apache Tomcat JVM Heap Memory Session Persistence, Redis, Session Replication
Docker Containers Inside Application JVM/Process Redis, Database, Sticky Sessions, External Session Store

Docker Session Storage

Browser
   │
JSESSIONID
   │
Docker Container
   │
Tomcat / JBoss / WebSphere Liberty
   │
JVM Heap Memory

Docker itself does not manage user sessions. Sessions are managed by the application running inside the container.

If a container is restarted, redeployed, or scaled down, in-memory sessions may be lost unless external session storage is configured.

Docker Best Practice:
Use Redis, database persistence, sticky sessions, or JWT-based authentication for better scalability and resilience.

A cookie is a small piece of data stored in the user's browser. Applications use cookies to identify users across multiple HTTP requests.

HTTP is stateless by default. This means every request is independent. Without cookies or tokens, the server cannot easily identify whether two requests are coming from the same user.

After successful login, the server sends a cookie to the browser. 

Set-Cookie: JSESSIONID=ABC123XYZ789

For every next request, the browser automatically sends this cookie back to the server. 

Cookie: JSESSIONID=ABC123XYZ789

What is JSESSIONID?

JSESSIONID is the default session identifier used by Java-based application servers.

It is commonly seen in applications running on:

  • IBM WebSphere Application Server
  • WebSphere Liberty
  • Apache Tomcat
  • JBoss EAP
  • WildFly

JSESSIONID does not usually store the full user data. It acts as a reference ID that helps the application server locate the correct server-side session. 

JSESSIONID=ABC123XYZ789
Important:
The actual session data is normally stored on the server side. The browser usually stores only the session identifier.

How Session Management Works

User
 │
 ▼
Login Page
 │
 ▼
Authentication Successful
 │
 ▼
Application Server Creates Session
 │
 ▼
JSESSIONID Generated
 │
 ▼
Cookie Sent To Browser
 │
 ▼
Browser Sends Cookie With Every Request
 │
 ▼
Application Server Retrieves Session
 │
 ▼
User Continues Application Access

This process allows the application to remember the authenticated user until logout or session timeout.

Enterprise Example: WebSphere Session Flow

Architecture

User Browser
      │
      ▼
IBM HTTP Server
      │
      ▼
WebSphere Application Server
      │
      ▼
Enterprise Application

Session Flow

  1. User accesses the application login page.
  2. User enters username and password.
  3. WebSphere authenticates the user using LDAP or Active Directory.
  4. WebSphere creates a session in application server memory.
  5. WebSphere generates a JSESSIONID.
  6. Browser receives the JSESSIONID as a cookie.
  7. Browser sends the same cookie in every future request.
  8. WebSphere uses JSESSIONID to locate the user's session.

Example HTTP Response

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=ABC123XYZ789; Path=/app; HttpOnly; Secure

Example HTTP Request

GET /app/dashboard HTTP/1.1
Host: www.company.com
Cookie: JSESSIONID=ABC123XYZ789

Sessions Through Load Balancers

In enterprise environments, applications often run on multiple servers behind a load balancer. 

User Browser
      │
      ▼
NGINX / IBM HTTP Server / F5 / Azure Load Balancer
      │
      ▼
 ┌───────────────┬───────────────┐
 │ WebSphere-01  │ WebSphere-02  │
 └───────────────┴───────────────┘

If a user logs in through WebSphere-01 but the next request goes to WebSphere-02, the session may not be available on WebSphere-02 unless session replication or sticky session is configured.

Common Solutions

  • Sticky Session: Route the same user to the same backend server.
  • Session Replication: Copy session data across cluster members.
  • External Session Store: Store sessions in Redis, database, or distributed cache.
Production Tip:
For stateful Java applications, session affinity is commonly configured at IBM HTTP Server, NGINX, F5, or application server plugin level.

Session vs Cookie vs JSESSIONID

Component Purpose Stored In Example
Session Stores user-specific data Application Server User ID, role, login time
Cookie Stores small client-side data Browser JSESSIONID cookie
JSESSIONID Identifies the server-side session Browser cookie or URL ABC123XYZ789

Session Security Best Practices

Session security is very important because attackers may try to steal or misuse session identifiers.

  • Use Secure flag so cookies are sent only over HTTPS.
  • Use HttpOnly flag to reduce JavaScript-based cookie theft.
  • Use SameSite attribute to reduce CSRF risk.
  • Regenerate session ID after successful login.
  • Configure proper session timeout.
  • Invalidate session during logout.
  • Avoid exposing JSESSIONID in URLs.

Recommended Cookie Example

Set-Cookie: JSESSIONID=ABC123XYZ789; Path=/; Secure; HttpOnly; SameSite=Lax

Common Session Issues

Middleware and DevOps teams commonly troubleshoot session-related issues in production environments.

Issue Possible Cause
User logged out unexpectedly Session timeout or server restart
Session lost after login Cookie not stored or wrong cookie path
Intermittent logout in cluster Sticky session or replication issue
JSESSIONID not visible Application not creating session
Cookie not sent over HTTPS Secure flag or domain/path mismatch
Login loop SSO, cookie, or reverse proxy issue

Key Takeaways

  • Authentication verifies identity.
  • Sessions maintain user identity after login.
  • Cookies store identifiers in the browser.
  • JSESSIONID is the default session identifier for Java applications.
  • Session affinity and replication are important in clustered environments.
  • Cookie security flags such as Secure, HttpOnly, and SameSite improve session security.
  • Session management is critical for WebSphere, JBoss, Tomcat, and enterprise applications.

What’s Next?

Next Article:
Part 3 – Stateful vs Stateless Applications

In the next article, we will understand the difference between stateful and stateless applications and why this concept is important for scaling enterprise applications, APIs, and cloud workloads.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , ,

🌐 WebSphere LTPA, Sticky Sessions & Session Replication Explained - Part 9

WebSphere LTPA, Sticky Sessions & Session Replication Explained | MiddlewareBox

Welcome to Part 9 of the Authentication & Identity Security Series. This article explains LTPA (Lightweight Third-Party Authentication), JSESSIONID (Java Session Identifier), Sticky Sessions, Session Replication, and session handling in WebSphere, Tomcat, JBoss and Docker environments.

Table of Contents

  • What is LTPA?
  • How WebSphere Authentication Works
  • LTPA vs JSESSIONID
  • What are Sticky Sessions?
  • Sticky Sessions vs Session Replication
  • Session Replication in WebSphere
  • Session Handling in Tomcat
  • Session Handling in JBoss
  • Docker Session Challenges
  • Common Production Issues
  • Interview Questions
  • Best Practices

Common Terms Used in This Article

AbbreviationFull Form
LTPALightweight Third-Party Authentication
JSESSIONIDJava Session Identifier
IHSIBM HTTP Server
WASWebSphere Application Server
JVMJava Virtual Machine
HAHigh Availability
DRDisaster Recovery
SSLSecure Sockets Layer

What is LTPA (Lightweight Third-Party Authentication)?

LTPA (Lightweight Third-Party Authentication) is IBM's authentication token mechanism used by WebSphere Application Server to provide authentication and Single Sign-On across applications. 

User Login
    │
    ▼
WebSphere Authentication
    │
    ▼
LTPA Token Generated
    │
    ▼
Browser Stores LTPA Cookie
    │
    ▼
Future Requests Use LTPA Token
LTPA is mainly used for Authentication and Single Sign-On.

How WebSphere Authentication Works

User Browser
      │
      ▼
IBM HTTP Server (IHS)
      │
      ▼
WebSphere Application Server
      │
      ▼
LDAP / Microsoft Entra ID / AD
      │
      ▼
Authentication Success

After successful authentication, WebSphere generates an LTPA token and session information.

LTPA vs JSESSIONID

Feature LTPA JSESSIONID
Purpose Authentication Session Tracking
Used For SSO User Session
Generated After Login Session Creation
WebSphere Specific Yes No

LTPA identifies who the user is, while JSESSIONID identifies the user's application session.

What are Sticky Sessions?

Sticky Session (Session Affinity) ensures that a user continues to connect to the same application server node. 

Load Balancer
      │
      ├── JVM1  ← User Always Routed Here
      │
      └── JVM2

Advantages

  • Simple configuration
  • Better performance
  • No replication overhead

Disadvantages

  • If JVM crashes, user session may be lost
  • Not ideal for HA environments

Sticky Sessions vs Session Replication

Feature Sticky Session Session Replication
Performance High Medium
Failover Support Limited Excellent
Complexity Low High
HA Support Partial Strong

Session Replication in WebSphere

Memory-to-Memory Replication

JVM1
 ↔
JVM2

Database Session Persistence

JVM1
 │
 ▼
Session Database
 │
 ▼
JVM2

If JVM1 fails, JVM2 can continue serving requests using replicated session data.

Session Handling in Apache Tomcat

Browser
   │
JSESSIONID
   │
Tomcat JVM

Tomcat supports clustering using DeltaManager and BackupManager. External session stores such as Redis are commonly used.

Session Handling in JBoss EAP

Browser
   │
JSESSIONID
   │
JBoss Cluster

JBoss commonly uses Infinispan for distributed session replication.

Docker Session Challenges

User
 │
 ▼
Docker Container
 │
 ▼
Tomcat / JBoss / Liberty

If a container restarts, in-memory sessions can be lost.

Recommended Solutions

  • JWT (JSON Web Token)
  • Redis Session Store
  • Database Session Store
  • External Session Cache

Common Production Issues

Issue Cause
Random Logout Session Timeout
SSO Failure LTPA Key Mismatch
Session Lost After Restart In-Memory Session Storage
User Routed To Wrong Node Load Balancer Affinity Issue
Session Replication Failure Cluster Misconfiguration

Interview Question

What is the difference between LTPA and JSESSIONID?

LTPA (Lightweight Third-Party Authentication) is used for authentication and Single Sign-On, whereas JSESSIONID (Java Session Identifier) is used for session tracking and maintaining user state.

Best Practices

  • Use sticky sessions only when failover is not critical.
  • Enable session replication for HA applications.
  • Synchronize LTPA keys across WebSphere cells.
  • Use Redis or database-backed sessions in containers.
  • Monitor session count and JVM memory usage.
  • Configure proper session timeout values.
  • Test failover regularly.

Key Takeaways

  • LTPA provides WebSphere authentication and SSO.
  • JSESSIONID tracks user sessions.
  • Sticky sessions improve performance.
  • Session replication improves availability.
  • Docker requires external session management for HA.

What's Next?

Part 10 – Zero Trust Security & Authentication Risks

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , ,

🧩 SSO , MFA (Multi-Factor Authentication) & Microsoft Entra ID Authentication Explained - Part 8

SSO (Single Sign-On), MFA (Multi-Factor Authentication) & Microsoft Entra ID Authentication Explained
  • Welcome to Part 8 of the Authentication & Identity Security series.
  • This article explains SSO (Single Sign-On), MFA (Multi-Factor Authentication), and Microsoft Entra ID authentication.
  • Designed for Middleware, DevOps, Cloud, Security, and Application Support Engineers.
  • Includes enterprise examples using Microsoft Entra ID, SSO (Single Sign-On), MFA (Multi-Factor Authentication), Conditional Access, OIDC (OpenID Connect), SAML (Security Assertion Markup Language), and application integration.

Table of Contents

Introduction

In Part 7, we learned about OAuth2, OpenID Connect (OIDC), and SAML. These protocols are commonly used by enterprise identity platforms to provide secure application login and API access.

In this article, we will understand three important enterprise identity concepts: SSO (Single Sign-On), MFA (Multi-Factor Authentication), and Microsoft Entra ID (formerly Azure Active Directory).

Simple Understanding:
SSO (Single Sign-On) allows users to login once and access multiple applications. MFA (Multi-Factor Authentication) adds an extra verification step. Microsoft Entra ID is Microsoft's cloud identity platform that provides SSO, MFA, Conditional Access, and identity governance.

Common Terms Used in This Article

Abbreviation Full Form / Meaning
SSOSingle Sign-On
MFAMulti-Factor Authentication
Microsoft Entra IDFormerly Azure Active Directory
IAMIdentity and Access Management
OIDCOpenID Connect
OAuth2Open Authorization 2.0
SAMLSecurity Assertion Markup Language
JWTJSON Web Token
ADFSActive Directory Federation Services
APIApplication Programming Interface

What is SSO (Single Sign-On)?

SSO stands for Single Sign-On.

SSO allows users to authenticate once and access multiple applications without entering credentials again for every application.

SSO Flow

User
  │
  ▼
Identity Provider
(Azure Entra ID / Okta / ADFS)
  │
  ▼
Authentication Successful
  │
  ▼
Access Multiple Applications

Enterprise Example

User logs in once to Microsoft Entra ID
        │
        ├── Microsoft 365
        ├── ServiceNow
        ├── HR Portal
        ├── Azure Portal
        └── Internal Web Application

Benefits of SSO

  • Users remember fewer passwords.
  • Centralized authentication management.
  • Improved user experience.
  • Reduced password reset tickets.
  • Better audit and access control.

What is MFA (Multi-Factor Authentication)?

MFA stands for Multi-Factor Authentication.

MFA requires users to verify their identity using more than one factor.

Common MFA Factors

Factor Example
Something you know Password or PIN
Something you have Mobile phone, authenticator app, hardware token
Something you are Biometric verification

MFA Flow

User enters password
      │
      ▼
Password verified
      │
      ▼
MFA challenge
      │
      ▼
Authenticator App / SMS / Push Approval
      │
      ▼
Access granted
Security View:
MFA protects accounts even if the user's password is compromised.

What is Microsoft Entra ID (formerly Azure Active Directory)?

Azure Entra ID, now known as Microsoft Entra ID, is Microsoft's cloud-based identity and access management platform.

It helps organizations manage users, groups, applications, authentication, SSO, MFA, Conditional Access, and identity security.

Microsoft Entra ID Provides

  • User and group management
  • Single Sign-On
  • Multi-Factor Authentication
  • Conditional Access
  • Application registrations
  • Enterprise application integration
  • OAuth2 (Open Authorization 2.0), OIDC (OpenID Connect), and SAML (Security Assertion Markup Language) support
  • Access reviews and identity governance

Enterprise Authentication Flow

User Browser
      │
      ▼
Enterprise Application
      │
      ▼
Microsoft Entra ID
      │
      ▼
Password Authentication
      │
      ▼
MFA / Conditional Access
      │
      ▼
Token or SAML Assertion Issued
      │
      ▼
Application Access Granted

In this flow, the application does not directly validate the user's password. Instead, it redirects the user to Microsoft Entra ID, which performs authentication and returns a token or SAML assertion.

SSO Protocols: OIDC (OpenID Connect) and SAML (Security Assertion Markup Language)

SSO can be implemented using different protocols depending on the application type.

Application Type Recommended Protocol
Modern web application OIDC
REST API access OAuth2
Legacy enterprise web application SAML
Mobile application OIDC with PKCE
Partner federation SAML or OIDC

Conditional Access

Conditional Access is a policy-based security feature in Microsoft Entra ID. It evaluates conditions before allowing access.

Common Conditions

  • User or group
  • Application being accessed
  • Device compliance
  • Location or country
  • Sign-in risk
  • Client application type

Common Controls

  • Require MFA
  • Block access
  • Require compliant device
  • Require password change
  • Grant access only from trusted locations
User Login
   │
   ▼
Conditional Access Policy Check
   │
   ├── Trusted Device? 
   ├── Trusted Location?
   ├── MFA Required?
   │
   ▼
Access Allowed or Blocked
Example:
Require MFA when users access Azure Portal from outside the corporate network.

How to Setup SSO (Single Sign-On) and MFA (Multi-Factor Authentication) in Microsoft Entra ID

Example 1: Setup SSO for an Enterprise Application

  1. Login to Microsoft Entra Admin Center.
  2. Go to Enterprise applications.
  3. Select or create the application.
  4. Open Single sign-on.
  5. Choose protocol: SAML or OIDC depending on application support.
  6. Configure Identifier, Reply URL, Redirect URI, or metadata.
  7. Configure user attributes and claims.
  8. Assign users or groups to the application.
  9. Test SSO login.

Example 2: Enable MFA

  1. Go to Microsoft Entra Admin Center.
  2. Open Protection or Conditional Access.
  3. Create a new Conditional Access policy.
  4. Select target users or groups.
  5. Select target application.
  6. Under Grant controls, choose Require multifactor authentication.
  7. Enable policy in report-only mode first.
  8. Review sign-in logs and then enforce the policy.

Example Conditional Access Policy

Policy Name  : Require MFA for Azure Portal
Users        : Cloud Admins
Application  : Microsoft Azure Management
Condition    : Any location
Control      : Require MFA
Status       : Enabled
Production Tip:
Always test Conditional Access policies with pilot users before enabling them for all users. Keep at least one emergency break-glass account excluded from restrictive policies.

Middleware Application Integration Example

Modern OIDC (OpenID Connect) Application

User Browser
      │
      ▼
NGINX / Load Balancer
      │
      ▼
Application
      │
      ▼
Microsoft Entra ID
      │
      ▼
ID Token + Access Token
      │
      ▼
Application Session Created

Legacy SAML (Security Assertion Markup Language) Application

User Browser
      │
      ▼
IBM HTTP Server / Reverse Proxy
      │
      ▼
Legacy Enterprise Application
      │
      ▼
Microsoft Entra ID / ADFS
      │
      ▼
SAML Assertion
      │
      ▼
Application Access Granted

API (Application Programming Interface) Access with OAuth2 (Open Authorization 2.0)

Client Application
        │
        ▼
Microsoft Entra ID
        │
        ▼
Access Token
        │
        ▼
Azure API Management / API Gateway
        │
        ▼
Backend API

Middleware and DevOps teams often support these integrations by configuring reverse proxies, SSL certificates, redirect URLs, headers, application endpoints, load balancers, and logs.

SSO (Single Sign-On) vs MFA (Multi-Factor Authentication) vs Microsoft Entra ID

Concept Meaning Purpose
SSO (Single Sign-On) Login once and access multiple applications Login once and access multiple applications
MFA (Multi-Factor Authentication) Add extra verification during login Add extra verification during login
Microsoft Entra ID Cloud identity platform Provides SSO, MFA, Conditional Access, app integration
Conditional Access Policy-based access control Allow, block, or require MFA based on conditions

Common Issues

Issue Possible Cause
SSO login loop Cookie, redirect URI, or session issue
Invalid redirect URI Application URL mismatch in Entra ID
MFA prompt not appearing Conditional Access policy not applied
User cannot access application User not assigned to enterprise application
SAML assertion failed Certificate, metadata, NameID, or claim mismatch
Token validation failed Invalid issuer, audience, expiry, or signing key
Access blocked unexpectedly Conditional Access location/device/risk condition

Best Practices

  • Use SSO for enterprise applications to centralize authentication.
  • Enable MFA for privileged users and high-risk applications.
  • Use Conditional Access instead of enabling MFA blindly for everyone.
  • Use OIDC for modern applications and SAML for legacy applications when required.
  • Assign applications to groups instead of individual users.
  • Monitor sign-in logs and audit logs regularly.
  • Keep redirect URIs and reply URLs strict.
  • Rotate SAML certificates and application secrets before expiry.
  • Maintain break-glass emergency accounts.
  • Document application integration details for support teams.

Key Takeaways

  • SSO (Single Sign-On) allows users to login once and access multiple applications.
  • MFA (Multi-Factor Authentication) adds an extra verification layer beyond passwords.
  • Microsoft Entra ID was formerly known as Azure Active Directory.
  • SSO improves user experience and centralizes login.
  • MFA improves security by adding an extra verification step.
  • Conditional Access controls when and how access is granted.
  • Microsoft Entra ID supports OAuth2, OIDC, and SAML integrations.
  • Middleware teams should understand redirect URI, certificates, claims, headers, and logs for troubleshooting.

What’s Next?

Next Article:
Part 9 – WebSphere LTPA, Sticky Sessions & Session Replication

In the next article, we will understand WebSphere LTPA, sticky sessions, session affinity, and session replication in traditional enterprise middleware environments.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , , ,

πŸ”‘ OAuth2, OpenID Connect (OIDC) & SAML Explained - Part 7

OAuth2, OpenID Connect (OIDC) & SAML Explained
  • Welcome to Part 7 of the Authentication & Identity Security series.
  • This article explains OAuth2, OpenID Connect (OIDC), and SAML in simple enterprise language.
  • Designed for Middleware, DevOps, Cloud, Security, and Application Support Engineers.
  • Includes examples using Azure Entra ID, SSO, APIs, JWT tokens, enterprise applications, and identity federation.

Table of Contents

Introduction

In Part 6, we learned about API Authentication and API Gateway Security. In this article, we will understand three very important identity and access technologies: OAuth2, OpenID Connect (OIDC), and SAML.

These technologies are widely used in modern enterprises for API access, Single Sign-On (SSO), cloud applications, Microsoft Entra ID integrations, and identity federation.

Simple Understanding:
OAuth2 is mainly for authorization. OIDC is for authentication on top of OAuth2. SAML is commonly used for enterprise Single Sign-On using XML-based assertions.

What is OAuth2?

OAuth2 stands for Open Authorization 2.0.

OAuth2 is an authorization framework that allows an application to access protected resources on behalf of a user without sharing the user's password with that application.

OAuth2 Simple Flow

User
  │
  ▼
Client Application
  │
  ▼
Authorization Server
  │
  ▼
Access Token Issued
  │
  ▼
Protected API

OAuth2 answers this question: 

What can this application access?

OAuth2 Example

Client Application
        │
        ▼
Azure Entra ID
        │
        ▼
Access Token
        │
        ▼
API Gateway / Backend API

OAuth2 is heavily used for API access, mobile applications, web applications, machine-to-machine integrations, and cloud services.

What is OpenID Connect (OIDC)?

OIDC stands for OpenID Connect.

OIDC is an identity layer built on top of OAuth2. It is used to authenticate users and provide identity information to applications.

OAuth2 provides access tokens. OIDC adds an ID Token, which tells the application who the user is.

OIDC Simple Flow

User
  │
  ▼
Application
  │
  ▼
Identity Provider
  │
  ▼
ID Token + Access Token
  │
  ▼
Application Login Successful

OIDC answers this question: 

Who is the user?

OIDC Example

User logs in to application
        │
        ▼
Azure Entra ID authenticates user
        │
        ▼
Application receives ID Token
        │
        ▼
Application knows user's identity
Important:
OIDC is commonly used for modern web application login and Single Sign-On with Azure Entra ID, Okta, Keycloak, and other identity providers.

What is SAML?

SAML stands for Security Assertion Markup Language.

SAML is an XML-based standard used for exchanging authentication and authorization data between an Identity Provider and a Service Provider.

SAML Simple Flow

User
  │
  ▼
Service Provider Application
  │
  ▼
Identity Provider Login
  │
  ▼
SAML Assertion Issued
  │
  ▼
Application Access Granted

SAML is commonly used for enterprise SSO with older and traditional enterprise applications.

SAML Example

User opens HR portal
        │
        ▼
Redirect to Azure Entra ID / ADFS
        │
        ▼
User authenticates
        │
        ▼
SAML Assertion sent to HR portal
        │
        ▼
User login successful

OAuth2 vs OIDC

OAuth2 and OIDC are closely related, but they are not the same.

OAuth2 OIDC
Authorization framework Authentication layer on top of OAuth2
Used to access APIs Used to log in users
Issues Access Token Issues ID Token and Access Token
Answers: What can the app access? Answers: Who is the user?
Common in API security Common in SSO login
Memory Shortcut:
OAuth2 = Access to APIs
OIDC = Login and user identity

OIDC vs SAML

Point OIDC SAML
Format JSON / JWT XML
Modern Usage Modern web apps, APIs, mobile apps Enterprise SSO, older web apps
Token / Assertion ID Token SAML Assertion
Protocol Base OAuth2 SAML standard
Cloud Native Friendly High Medium
Common Providers Azure Entra ID, Okta, Keycloak Azure Entra ID, ADFS, PingFederate

Azure Entra ID Example

Microsoft Entra ID supports OAuth2, OIDC, and SAML for application authentication and authorization.

Modern Application Using OIDC

User
  │
  ▼
Web Application
  │
  ▼
Microsoft Entra ID
  │
  ▼
ID Token + Access Token
  │
  ▼
Application Login Successful

API Access Using OAuth2

Client Application
        │
        ▼
Microsoft Entra ID
        │
        ▼
OAuth2 Access Token
        │
        ▼
Azure API Management
        │
        ▼
Backend API

Enterprise SSO Using SAML

User
  │
  ▼
Legacy Enterprise Application
  │
  ▼
Microsoft Entra ID / ADFS
  │
  ▼
SAML Assertion
  │
  ▼
Application Access Granted

Enterprise SSO Architecture

User Browser
      │
      ▼
Enterprise Application
      │
      ▼
Identity Provider
(Azure Entra ID / Okta / ADFS)
      │
      ▼
Authentication + MFA
      │
      ▼
Token / Assertion
      │
      ▼
Application Access

In this architecture, applications do not manage user passwords directly. Authentication is delegated to a centralized identity provider.

Benefits

  • Centralized identity management
  • Single Sign-On
  • Multi-Factor Authentication
  • Conditional Access
  • Better audit and compliance
  • Reduced password handling by applications

Access Token, ID Token & SAML Assertion

Item Used By Purpose
Access Token OAuth2 Access protected APIs
ID Token OIDC Prove user identity to application
SAML Assertion SAML Provide authentication result to service provider

Example Access Token Usage

GET /api/customer
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Example ID Token Purpose

Application receives ID Token
Application reads user identity claims
User login is established

Example SAML Assertion Purpose

Identity Provider sends SAML Assertion
Service Provider validates assertion
User gets access to application

Where OAuth2, OIDC and SAML are Used

Use Case Recommended Protocol
REST API access OAuth2
Modern web application login OIDC
Mobile app login OIDC
Single Page Application OIDC with Authorization Code + PKCE
Legacy enterprise SSO SAML
Microsoft Graph API access OAuth2
Partner enterprise federation SAML or OIDC

OAuth2 vs OIDC vs SAML Comparison

Feature OAuth2 OIDC SAML
Full Form Open Authorization 2.0 OpenID Connect Security Assertion Markup Language
Main Purpose Authorization Authentication Enterprise SSO
Common Format Token JWT / JSON XML
Common Output Access Token ID Token SAML Assertion
Best For APIs Modern login Enterprise web SSO
Modern Cloud Usage High High Medium

How to Setup OAuth2, OIDC and SAML - Practical Example

Below is a high-level enterprise setup example using Microsoft Entra ID as the Identity Provider. The same concept applies to Okta, Keycloak, PingFederate, and other identity platforms.

Important:
Exact screens may differ based on the identity provider, but the core setup flow remains almost the same: register application, configure redirect URI, assign users, generate client details, and configure the application.

Example 1: Setup OIDC Login for a Web Application

Use OIDC when your application needs user login and Single Sign-On. 

User
  │
  ▼
Web Application
  │
  ▼
Microsoft Entra ID
  │
  ▼
ID Token + Access Token
  │
  ▼
Application Login Successful

High-Level Setup Steps

  1. Login to Microsoft Entra Admin Center.
  2. Go to App registrations.
  3. Create a new application registration.
  4. Configure the application redirect URI.
  5. Create a client secret if the application is confidential.
  6. Configure required API permissions.
  7. Assign users or groups if required.
  8. Configure the application with Client ID, Tenant ID, Client Secret, and Redirect URI.

Example OIDC Configuration

Tenant ID     : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client ID     : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
Redirect URI  : https://app.company.com/signin-oidc
Authority URL : https://login.microsoftonline.com/{tenant-id}
Scope         : openid profile email

Common OIDC Use Cases

  • Enterprise web application login
  • Single Sign-On for internal portals
  • Cloud-native application authentication
  • Modern replacement for application-managed passwords

Example 2: Setup OAuth2 for API Access

Use OAuth2 when an application needs to access a protected API using an access token. 

Client Application
        │
        ▼
Microsoft Entra ID
        │
        ▼
OAuth2 Access Token
        │
        ▼
API Gateway / Backend API

High-Level Setup Steps

  1. Register the backend API in Microsoft Entra ID.
  2. Expose an API scope such as api.read or api.write.
  3. Register the client application.
  4. Grant the client application permission to call the API.
  5. Use OAuth2 flow to request an access token.
  6. Send the access token to the API using the Authorization header.
  7. Validate token issuer, audience, expiry, and signature at API Gateway or backend API.

Example API Request

GET /api/customer HTTP/1.1
Host: api.company.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Example Token Validation Points

  • Issuer should match Microsoft Entra ID tenant.
  • Audience should match the API Application ID URI.
  • Token should not be expired.
  • Signature should be valid.
  • Required scope or role should be present.

Example 3: Setup SAML SSO for an Enterprise Application

Use SAML when integrating legacy enterprise applications that support SAML-based Single Sign-On. 

User
  │
  ▼
Enterprise Application
  │
  ▼
Microsoft Entra ID / ADFS
  │
  ▼
SAML Assertion
  │
  ▼
Application Login Successful

High-Level Setup Steps

  1. Create or select an Enterprise Application in Microsoft Entra ID.
  2. Select Single sign-on and choose SAML.
  3. Configure Identifier / Entity ID.
  4. Configure Reply URL / ACS URL.
  5. Configure Sign-on URL if required.
  6. Download Federation Metadata XML or certificate.
  7. Upload metadata or certificate to the Service Provider application.
  8. Map claims such as username, email, name, and groups.
  9. Assign users or groups to the application.
  10. Test SSO login.

Example SAML Configuration

Identifier / Entity ID : https://app.company.com/saml/metadata
Reply URL / ACS URL    : https://app.company.com/saml/acs
Sign-on URL            : https://app.company.com
NameID Format          : emailAddress

Common SAML Use Cases

  • Legacy enterprise web applications
  • HR portals
  • Vendor applications
  • Enterprise SaaS applications
  • Applications integrated with ADFS or Entra ID

Quick Setup Comparison

Requirement Recommended Setup Example
User login for modern web app OIDC App receives ID Token
API access OAuth2 API receives Access Token
Legacy enterprise SSO SAML Application receives SAML Assertion
Mobile app login OIDC with PKCE Mobile app receives tokens securely
System-to-system API OAuth2 Client Credentials Service principal gets access token
Middleware Engineer Tip:
For troubleshooting, always check Redirect URI, Reply URL, Entity ID, Audience, Issuer, Certificate, Token Expiry, and Claim Mapping first. Most OAuth2, OIDC, and SAML issues are caused by mismatch in these values.

Common Issues

Issue Possible Cause
Invalid redirect URI Application redirect URL mismatch in identity provider
Invalid audience Token issued for different API or application
Invalid issuer Wrong identity provider or tenant configured
SAML assertion validation failed Certificate, timestamp, or metadata mismatch
OIDC login loop Cookie, redirect URI, or session issue
Access denied after login Authentication successful but authorization missing

Best Practices

  • Use OIDC for modern application login.
  • Use OAuth2 for API access and delegated authorization.
  • Use SAML for legacy enterprise SSO where required.
  • Always validate issuer, audience, expiry, and signature.
  • Use HTTPS for all authentication and token flows.
  • Use Authorization Code Flow with PKCE for modern applications.
  • Do not store secrets in frontend applications.
  • Rotate certificates and signing keys regularly.
  • Enable MFA and Conditional Access in enterprise environments.
  • Keep redirect URIs strict and controlled.

Key Takeaways

  • OAuth2 stands for Open Authorization 2.0.
  • OAuth2 is mainly used for authorization and API access.
  • OIDC stands for OpenID Connect.
  • OIDC is used for authentication and user login.
  • SAML stands for Security Assertion Markup Language.
  • SAML is commonly used for enterprise SSO.
  • Azure Entra ID supports OAuth2, OIDC, and SAML.
  • OAuth2 issues access tokens, OIDC issues ID tokens, and SAML uses assertions.

What’s Next?

Next Article:
Part 8 – SSO, MFA & Azure Entra ID Authentication

In the next article, we will understand Single Sign-On, Multi-Factor Authentication, and how Azure Entra ID helps secure enterprise applications.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , , ,

πŸ›‘️ API Authentication & API Gateway Security Explained - Part 6

API Authentication & API Gateway Security Explained
  • Welcome to Part 6 of the Authentication & Identity Security series.
  • This article explains how APIs are authenticated and protected in enterprise environments.
  • Designed for Middleware, DevOps, Cloud, API, and Application Support Engineers.
  • Includes examples using API Keys, Basic Authentication, JWT, OAuth2, API Gateway, Azure API Management, NGINX, and backend services.

Table of Contents

Introduction

In Part 5, we compared JWT, Sessions, and Cookies. Now we will move one level deeper into API security.

Modern applications commonly expose REST APIs for mobile apps, web apps, partner integrations, microservices, automation tools, and cloud platforms. These APIs must be protected so that only trusted users, systems, or applications can access them.

Key Concept:
API Authentication verifies who is calling the API before allowing access to backend services.

What is API Authentication?

API Authentication is the process of verifying the identity of a client application, user, service account, or system before allowing it to call an API.

API consumers may include:

  • Web applications
  • Mobile applications
  • Partner systems
  • Microservices
  • Automation scripts
  • CI/CD tools
  • Monitoring tools

Simple API Flow

Client Application
        │
        ▼
Authentication Credential
        │
        ▼
API Gateway / API Server
        │
        ▼
Credential Validation
        │
        ▼
Backend Service Access

Why API Authentication is Important

APIs expose business data and backend functions. Without proper authentication, attackers or unauthorized systems may call sensitive APIs.

  • Protects customer and business data
  • Prevents unauthorized API access
  • Supports audit and compliance requirements
  • Protects backend services from misuse
  • Enables secure partner and system integration
  • Supports identity-based access control
Enterprise View:
In production environments, APIs are usually protected using a combination of authentication, authorization, rate limiting, logging, WAF, and API Gateway policies.

Common API Authentication Methods

Method Common Usage Security Level
API Key Simple application identification Basic
Basic Authentication Legacy/internal APIs Low to Medium
JWT Bearer Token Modern APIs and microservices High
OAuth2 Enterprise delegated access High
mTLS System-to-system authentication Very High

API Key Authentication

API Key authentication uses a unique key to identify the application or client calling the API.

Example

GET /api/customer HTTP/1.1
Host: api.company.com
x-api-key: 9f8a7b6c5d4e

The API Gateway or backend API validates the key before processing the request.

Advantages

  • Simple to implement
  • Useful for internal or low-risk APIs
  • Good for identifying applications

Limitations

  • Does not identify the actual user
  • Can be leaked if stored insecurely
  • Should not be used alone for sensitive APIs

Basic Authentication

Basic Authentication sends username and password encoded in the Authorization header.

Example

Authorization: Basic base64(username:password)

Although the value is encoded, it is not encrypted. Therefore, Basic Authentication must always be used only over HTTPS.

Security Note:
Basic Authentication is simple but not recommended for modern public APIs unless combined with HTTPS, strong password policy, and additional controls.

JWT Bearer Token Authentication

JWT Bearer Token authentication is commonly used in modern APIs.

After successful login, the client receives a JWT access token and sends it with every API request.

Example API Request

GET /api/policies HTTP/1.1
Host: api.company.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Validation Performed by API

  • Validate token signature
  • Check token expiry
  • Validate issuer
  • Validate audience
  • Check user roles or claims
Middleware View:
JWT validation can be performed at API Gateway, reverse proxy, application middleware, or backend service level.

OAuth2 API Authentication

OAuth2 is commonly used when an application needs delegated access to protected APIs.

Instead of sharing user passwords with APIs, the application receives an access token from an authorization server.

OAuth2 API Flow

Client Application
        │
        ▼
Authorization Server
        │
        ▼
Access Token Issued
        │
        ▼
API Request With Bearer Token
        │
        ▼
Protected API

Common OAuth2 Components

  • Client: Application requesting access
  • Resource Owner: User or account owner
  • Authorization Server: Issues tokens
  • Resource Server: API being accessed

OAuth2 is commonly used with Azure Entra ID, identity providers, API Gateways, and enterprise SSO platforms.

OAuth2 vs JWT

Many engineers confuse OAuth2 and JWT and assume they are the same thing. They are related but serve different purposes.

Simple Rule:
OAuth2 is the process used to obtain access tokens.
JWT is a token format commonly used for those access tokens.

Airport Analogy

  • OAuth2 = Security verification process
  • JWT = Boarding pass issued after verification

OAuth2 Flow

User
  │
  ▼
Application
  │
  ▼
Authorization Server
  │
  ▼
User Login & Consent
  │
  ▼
Access Token Issued

JWT Example

Header.Payload.Signature

JWT defines the structure of the token. OAuth2 defines how the token is obtained.

Azure Example

User
 │
 ▼
Microsoft Entra ID
 │
OAuth2 Authorization Flow
 │
 ▼
JWT Access Token
 │
 ▼
Azure API Management
 │
 ▼
Backend API
OAuth2JWT
Authorization FrameworkToken Format
Defines how tokens are obtainedDefines token structure
Handles login and consent flowContains claims and signature
Can issue JWT or opaque tokensDoes not define login process
Used by Entra ID, Okta, KeycloakCommon access token format
Interview Answer:
OAuth2 is an authorization framework that defines how applications obtain access tokens. JWT is a token format commonly used to represent those access tokens.

What is an API Gateway?

An API Gateway is a centralized entry point for APIs. It sits between clients and backend services. 

Client
  │
  ▼
API Gateway
  │
  ▼
Backend API / Microservice

Instead of exposing backend services directly, organizations expose APIs through an API Gateway.

Common API Gateway Products

  • Azure API Management
  • AWS API Gateway
  • Apigee
  • Kong Gateway
  • NGINX
  • IBM API Connect

API Gateway Security Controls

API Gateways provide multiple security and governance controls.

  • API authentication
  • JWT validation
  • OAuth2 integration
  • API key validation
  • Rate limiting
  • IP whitelisting
  • Request validation
  • Header validation
  • WAF integration
  • Logging and monitoring
  • Backend routing
  • Throttling and quota management
Production Tip:
Do not expose backend APIs directly to the internet. Use API Gateway, WAF, authentication policies, logging, and rate limiting.

Enterprise Architecture Example

Mobile App / Web App / Partner System
              │
              ▼
        WAF / CDN Layer
              │
              ▼
        API Gateway
              │
     ┌────────┼────────┐
     │        │        │
 JWT Validation   Rate Limit   Logging
     │        │        │
     └────────┼────────┘
              │
              ▼
       Backend API Service
              │
              ▼
       Database / Core System

In this model, API Gateway validates the caller before forwarding traffic to backend services.

Benefits

  • Centralized security enforcement
  • Reduced backend exposure
  • Improved monitoring and auditability
  • Better control over partner integrations
  • Reusable authentication and authorization policies

Azure API Management Example

Azure API Management can secure APIs using subscription keys, JWT validation, OAuth2 integration, and backend policies.

Typical Flow

Client Application
        │
        ▼
Azure API Management
        │
        ▼
Validate JWT / API Key
        │
        ▼
Azure App Service / AKS / VM API

Common Azure API Management Controls

  • Subscription key validation
  • JWT validation policy
  • OAuth2 / OpenID Connect integration
  • IP filtering
  • Rate limiting
  • Request and response transformation
  • Backend routing

JWT Header Example

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

NGINX / Reverse Proxy Example

NGINX can be used as a reverse proxy in front of backend APIs. It can enforce TLS, route traffic, validate headers, limit requests, and integrate with authentication services. 

Client
  │
  ▼
NGINX Reverse Proxy
  │
  ▼
Tomcat / JBoss / Spring Boot API

Common NGINX API Security Use Cases

  • HTTPS termination
  • Header forwarding
  • Rate limiting
  • IP allowlist / denylist
  • Reverse proxy routing
  • Basic authentication for internal APIs

Authentication Method Comparison

Method Best For Strength Limitation
API Key Application identification Simple and fast Does not identify user
Basic Auth Legacy/internal APIs Easy to implement Password exposure risk if misused
JWT Modern APIs Stateless and scalable Token theft and expiry handling
OAuth2 Delegated access Enterprise-grade authorization More complex setup
mTLS System-to-system APIs Strong certificate-based trust Certificate lifecycle management

Common API Authentication Issues

Issue Possible Cause
401 Unauthorized Missing, expired, or invalid token
403 Forbidden User authenticated but not authorized
Invalid API key Wrong key or inactive subscription
Invalid JWT signature Wrong signing key or modified token
Audience validation failed Token issued for different API
Rate limit exceeded Too many requests from client
CORS issue Browser blocked cross-origin API request

Best Practices

  • Always use HTTPS for API communication.
  • Do not expose backend APIs directly to the internet.
  • Use API Gateway for centralized authentication and policy enforcement.
  • Use JWT or OAuth2 for modern APIs.
  • Keep access tokens short-lived.
  • Validate issuer, audience, expiry, and signature.
  • Use API keys only for application identification or low-risk APIs.
  • Apply rate limiting and throttling.
  • Log API access for audit and troubleshooting.
  • Use WAF for internet-facing APIs.
  • Rotate secrets, API keys, and certificates regularly.

Key Takeaways

  • API Authentication verifies who is calling the API.
  • API Keys are simple but not enough for sensitive APIs.
  • Basic Authentication should be avoided for modern public APIs unless strongly protected.
  • JWT Bearer Tokens are widely used for modern API authentication.
  • OAuth2 is used for delegated access and enterprise integrations.
  • API Gateways centralize authentication, routing, monitoring, and security policies.
  • Azure API Management, NGINX, Apigee, Kong, and IBM API Connect are common gateway solutions.

What’s Next?

Next Article:
Part 7 – OAuth2, OpenID Connect (OIDC) & SAML Explained

In the next article, we will understand OAuth2, OIDC, and SAML, and how these protocols are used in enterprise SSO, API access, and identity federation.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , , , ,

⚖️ JWT vs Session vs Cookies Explained - Part 5

JWT vs Session vs Cookies Explained
  • Welcome to Part 5 of the Authentication & Identity Security series.
  • This article explains the difference between JWT, Sessions and Cookies.
  • Designed for Middleware, DevOps, Cloud, API, and Application Support Engineers.
  • Includes enterprise examples using WebSphere, JBoss, Tomcat, Docker, Azure Entra ID, APIs, and Load Balancers.

Table of Contents

Introduction

In previous parts, we learned about sessions, cookies, JSESSIONID, stateful applications, stateless applications, and JWT-based authentication.

Now it is important to clearly understand the difference between Cookies, Sessions and JWT. Many engineers confuse these terms and use them interchangeably, but they are different concepts.

Simple Understanding:
A cookie is stored in the browser. A session is stored on the server. A JWT is a signed token usually used for stateless authentication.

A cookie is a small piece of data stored in the user's browser. The server sends a cookie to the browser, and the browser sends it back with future requests.

Cookies are commonly used to store identifiers, preferences, tracking values, and session IDs.

Example Cookie

Set-Cookie: JSESSIONID=ABC123XYZ789; Path=/app; Secure; HttpOnly

Browser Sends Cookie Back

GET /app/dashboard HTTP/1.1
Host: www.company.com
Cookie: JSESSIONID=ABC123XYZ789
Important:
A cookie is only a storage mechanism in the browser. It is not the same as a session.

What is a Session?

A session is server-side storage used to maintain user information after login.

In Java enterprise applications, the session is commonly identified using JSESSIONID.

Session Data Example

Session ID: ABC123XYZ789

Stored on Server:
- userId = pradeep
- role = admin
- loginTime = 10:30 AM
- applicationAccess = policy-portal

The browser does not usually store this full session data. The browser only stores the JSESSIONID cookie. The actual session data remains inside the application server memory or external session store.

Common Platforms

  • IBM WebSphere Application Server
  • WebSphere Liberty
  • Apache Tomcat
  • JBoss EAP
  • WildFly

What is JWT?

JWT stands for JSON Web Token. It is a signed token that contains claims about the user or application.

JWT is commonly used in APIs, microservices, mobile applications, Docker-based applications, and cloud-native systems.

JWT Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJwcmFkZWVwIiwicm9sZSI6ImFkbWluIn0.
signature

JWT Payload Example

{
  "sub": "pradeep",
  "role": "admin",
  "iss": "https://login.company.com",
  "aud": "api.company.com",
  "exp": 1789459200
}
Important:
JWT payload is encoded, not encrypted by default. Do not store passwords, secrets, or sensitive data inside JWT.

Cookie, Session and JWT Flow

Session + Cookie Flow

User Login
   │
Application Server Authenticates User
   │
Server Creates Session
   │
Server Generates JSESSIONID
   │
Browser Stores JSESSIONID Cookie
   │
Browser Sends Cookie With Every Request
   │
Server Finds Session Using JSESSIONID

JWT Flow

User Login
   │
Authentication Server Validates User
   │
JWT Generated
   │
Client Stores JWT
   │
Client Sends JWT With API Request
   │
API Validates JWT Signature and Expiry
   │
Access Granted

JWT vs Session vs Cookies Comparison

Feature Cookie Session JWT
Basic Meaning Browser storage mechanism Server-side user state Signed authentication token
Stored In Browser Application Server / External Store Client side
Common Example JSESSIONID cookie User session in JVM heap Bearer token
Stateful / Stateless Storage only Stateful Stateless
Server Memory Required No Yes, unless externalized No session memory required
Scaling Easy Requires sticky session or replication Easier horizontal scaling
Best For Session ID, preferences Traditional web applications APIs, mobile apps, microservices
Security Risk Cookie theft Session hijacking Token theft

Enterprise Middleware Example

Traditional WebSphere / JBoss / Tomcat Application

Browser
   │
JSESSIONID Cookie
   │
IBM HTTP Server / NGINX
   │
WebSphere / JBoss / Tomcat
   │
Session Stored in JVM Memory

This architecture is common in enterprise web applications. The application server stores session data and the browser stores only the JSESSIONID.

Common Requirements

  • Session timeout configuration
  • Sticky session at load balancer
  • Session replication in cluster
  • Secure and HttpOnly cookie flags
  • Logout session invalidation

Docker and Cloud Perspective

Docker does not automatically make an application stateless. If the application running inside the container stores sessions in JVM memory, it is still stateful.

Stateful Docker Application

Browser
   │
JSESSIONID Cookie
   │
Docker Container
   │
Tomcat / JBoss / WebSphere Liberty
   │
Session Stored in Container JVM Memory

If the container restarts or is replaced, in-memory sessions may be lost.

Better Cloud-Native Options

  • Use JWT-based stateless authentication
  • Use Redis as external session store
  • Use database-backed session persistence
  • Use short-lived tokens with refresh tokens
  • Use API Gateway for centralized token validation

Azure Entra ID Perspective

Azure Entra ID commonly issues tokens for modern enterprise applications and APIs. 

User
 │
Application
 │
Azure Entra ID Login
 │
Access Token / ID Token
 │
Application or API Access

In this model, Azure Entra ID handles authentication and issues tokens. Applications validate the token before granting access.

Enterprise Use Case:
Azure Entra ID + OAuth2/OIDC + JWT is commonly used for SSO, API authentication, Azure applications, and cloud-native platforms.

Which One Should You Use?

Application Type Recommended Approach
Traditional WebSphere / JBoss / Tomcat web app Session + Cookie
REST API JWT / OAuth2 Access Token
Docker-based application JWT or Redis-backed session
Single Page Application OIDC with secure token handling
Enterprise SSO Azure Entra ID / SAML / OIDC
Legacy Java application Session-based authentication

Common Misconceptions

Misconception 1: Cookie and Session are Same

This is incorrect. A cookie is stored in the browser. A session is stored on the server.

Misconception 2: JWT Always Replaces Session

JWT is useful for APIs and stateless architectures, but traditional web applications may still use sessions effectively.

Misconception 3: JWT is Always More Secure

JWT security depends on implementation. Poor token storage, long expiry, missing validation, or weak signing keys can create serious risks.

Misconception 4: Docker Makes Applications Stateless

Docker only packages and runs applications. If the application stores sessions in memory, it remains stateful.

Security Best Practices

Cookie Best Practices

  • Use Secure flag for HTTPS-only transmission.
  • Use HttpOnly flag to reduce JavaScript access.
  • Use SameSite attribute to reduce CSRF risk.
  • Set proper cookie path and domain.

Session Best Practices

  • Configure proper session timeout.
  • Invalidate session after logout.
  • Regenerate session ID after login.
  • Use session replication or external session store for HA.
  • Avoid storing unnecessary large objects in session.

JWT Best Practices

  • Use HTTPS for all token communication.
  • Keep access tokens short-lived.
  • Validate signature, expiry, issuer, and audience.
  • Never store passwords or secrets in JWT payload.
  • Use refresh tokens carefully.
  • Rotate signing keys periodically.

Common Production Issues

Issue Possible Cause
User logged out randomly Session timeout, server restart, or sticky session issue
Session works on one node but fails on another No session replication or affinity
JWT gives 401 Unauthorized Expired token, invalid signature, wrong audience or issuer
Cookie not sent to server Wrong domain, path, Secure flag, or SameSite setting
High JVM memory usage Too many sessions or large session objects
Login loop Cookie, SSO, reverse proxy, or token validation issue

Key Takeaways

  • A cookie is browser-side storage.
  • A session stores user data on the server.
  • JSESSIONID is commonly stored inside a cookie.
  • JWT is a signed token used for stateless authentication.
  • Sessions are common in WebSphere, JBoss, and Tomcat applications.
  • JWT is common in APIs, Docker applications, microservices, and cloud-native systems.
  • Cookies, sessions, and JWT can all be secure or insecure depending on implementation.

What’s Next?

Next Article:
Part 6 – API Authentication & API Gateway Security

In the next article, we will understand API authentication methods such as API keys, Basic Authentication, JWT, OAuth2, and how API Gateways secure backend services.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , , , ,

🎫 JWT & Token-Based Authentication Explained - Part 4

JWT & Token-Based Authentication Explained
  • Welcome to Part 4 of the Authentication & Identity Security series.
  • This article explains JWT, access tokens, refresh tokens, and bearer tokens.
  • Designed for Middleware, DevOps, Cloud, API, and Application Support Engineers.
  • Includes enterprise examples using APIs, Docker, Azure Entra ID, API Gateway, and modern authentication flows.

Table of Contents

Introduction

In Part 3, we learned the difference between stateful and stateless applications. Traditional enterprise applications commonly use sessions and JSESSIONID, while modern applications and APIs commonly use tokens.

One of the most popular token formats used in modern authentication is JWT.

JWT Full Form:
JWT stands for JSON Web Token.

What is JWT?

JWT, or JSON Web Token, is a compact and signed token format used to securely exchange information between a client and a server.

A JWT can carry identity and authorization information such as:

  • User ID
  • Email address
  • User role
  • Issuer
  • Audience
  • Token expiry time

JWT is commonly used in APIs, microservices, cloud applications, mobile applications, and Single Sign-On systems.

Why JWT is Used

JWT is widely used because it supports stateless authentication. The application does not need to store the user session in server memory.

  • Useful for REST APIs
  • Works well with Docker-based applications
  • Supports microservices architecture
  • Easy to validate at API Gateway level
  • Used by OAuth2 and OpenID Connect flows
  • Used by identity providers such as Azure Entra ID
Cloud View:
JWT helps applications scale horizontally because any backend server can validate the token without depending on server-side session memory.

JWT Structure

A JWT contains three parts separated by dots. 

Header.Payload.Signature

Example JWT format: 

xxxxx.yyyyy.zzzzz

1. Header

The header contains token type and signing algorithm. 

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains claims. Claims are information about the user or token. 

{
  "sub": "pradeep",
  "role": "admin",
  "iss": "https://login.company.com",
  "aud": "api.company.com",
  "exp": 1789459200
}

Common JWT Claims

Claim Meaning
subSubject or User ID
issIssuer of the token
audAudience or target application
expToken expiry time
iatIssued at time
roleUser role or permission

3. Signature

The signature is used to verify that the token has not been modified. 

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)
Important:
JWT payload is encoded, not encrypted by default. Do not store passwords, secrets, or sensitive personal data inside JWT payload.

How JWT Works

User
 │
 ▼
Login Request
 │
 ▼
Authentication Server
 │
 ▼
Credentials Validated
 │
 ▼
JWT Generated
 │
 ▼
JWT Returned To Client
 │
 ▼
Client Sends JWT With API Requests
 │
 ▼
API Validates JWT
 │
 ▼
Access Granted

Step 1: User Login

POST /login
username=pradeep
password=********

Step 2: JWT Returned

{
  "access_token": "eyJhbGciOiJIUzI1NiIs..."
}

Step 3: API Request With JWT

GET /api/customer
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

The API validates the token signature, expiry, issuer, audience, and claims before allowing access.

Is JWT Generated Every Time?

No. JWT is not generated for every API request.

A JWT is usually generated once during successful login or authentication. The same token is reused for multiple API requests until it expires. 

Login
 │
JWT Generated Once
 │
Same JWT Sent With Every API Request
 │
Token Expires
 │
New Token Required

When is a New JWT Generated?

  • When the user logs in again
  • When the access token expires and a refresh token is used
  • When the authentication server rotates or renews tokens
  • When the user signs out and signs in again
Important:
The client sends the same JWT with every request using the Authorization header until the token expires.

Access Token, Refresh Token & Bearer Token

Token Type Purpose Typical Lifetime
Access Token Used to access APIs and protected resources Short-lived
Refresh Token Used to get a new access token Longer-lived
Bearer Token Token sent in Authorization header Depends on token expiry

Bearer Token Example

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Bearer means whoever has the token can use it. That is why token storage and transport security are very important.

Enterprise Middleware Example

Traditional Session-Based Application

Browser
   │
JSESSIONID Cookie
   │
IBM HTTP Server
   │
WebSphere / JBoss / Tomcat
   │
Session Stored in JVM Memory

This is commonly used in traditional enterprise web applications.

Modern JWT-Based API

Client Application
   │
Authorization: Bearer JWT
   │
API Gateway
   │
Backend API / Microservice
   │
Token Validated

This is commonly used in APIs, microservices, Docker deployments, and cloud-native applications.

Azure Entra ID Example

Azure Entra ID can act as an identity provider and issue tokens after successful authentication. 

User
 │
 ▼
Application
 │
 ▼
Azure Entra ID Login
 │
 ▼
MFA / Conditional Access
 │
 ▼
Access Token Issued
 │
 ▼
Application Calls API

The API validates the token issued by Azure Entra ID before allowing access to protected resources.

Enterprise Use Case:
Azure Entra ID tokens are commonly used for Microsoft 365, Azure Portal, enterprise applications, APIs, and Single Sign-On integrations.

JWT Security Best Practices

  • Always use HTTPS to protect tokens in transit.
  • Keep access tokens short-lived.
  • Use refresh tokens carefully and store them securely.
  • Validate token signature on every request.
  • Validate issuer and audience claims.
  • Never store passwords or secrets inside JWT payload.
  • Use secure storage for tokens in browser or mobile applications.
  • Rotate signing keys periodically.
  • Use API Gateway or identity middleware for centralized validation.

Session vs JWT

Point Session JWT
ArchitectureStatefulStateless
User DataStored on serverStored as token claims
IdentifierJSESSIONIDBearer Token
ScalingNeeds sticky session or replicationEasier horizontal scaling
Common UseTraditional web appsAPIs and microservices
Example PlatformWebSphere, JBoss, TomcatAPI Gateway, Docker, Cloud APIs

Common JWT Issues

Issue Possible Cause
401 UnauthorizedToken expired or invalid
Invalid signatureWrong signing key or modified token
Audience validation failedToken issued for different API
Issuer validation failedWrong identity provider configured
Token too largeToo many claims added
Token theft riskInsecure storage or missing HTTPS

Key Takeaways

  • JWT stands for JSON Web Token.
  • JWT contains Header, Payload, and Signature.
  • JWT is commonly used for stateless authentication.
  • A JWT is usually generated during login and reused until expiry.
  • Access tokens are used to access APIs.
  • Refresh tokens are used to get new access tokens.
  • Bearer tokens are sent in the Authorization header.
  • JWT is widely used in APIs, Docker applications, cloud platforms, and microservices.

What’s Next?

Next Article:
Part 5 – JWT vs Session vs Cookies

In the next article, we will compare JWT, sessions, and cookies in detail and understand when to use each approach in enterprise applications.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)