Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator 🌩️ Cloud Computing Basics
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series πŸ” Preparing WinRM on Windows Server over HTTPS for Automation (5986) πŸ” WAS Service Restart Using WinRM over HTTPS (5986) on Azure DevOps
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
🏒 Enterprise Authentication & Identity Security Series πŸ” Part 1 - What is Authentication? πŸ†” Part 2 - Sessions, Cookies & JSESSIONID ⚖️ Part 3 - Stateful vs Stateless Applications 🎫 Part 4 - JWT (JSON Web Token) & Token-Based Authentication πŸ“Š Part 5 - JWT vs Session vs Cookies Explained πŸšͺ Part 6 - API Authentication & API Gateway Security πŸ”„ Part 7 - OAuth2, OIDC & SAML Explained ☁️ Part 8 - SSO (Single Sign-On), MFA & Microsoft Entra ID 🟦 Part 9 - WebSphere LTPA, Sticky Sessions & Session Replication πŸ›‘️ Part 10 - Zero Trust Security & Authentication Risks
Showing posts with label Identity Management. Show all posts
Showing posts with label Identity Management. Show all posts

14 Jun 2026

πŸ” What is Authentication in Web Applications? - Part 1

What is Authentication in Web Applications?

What is Authentication in Web Applications?

  • Welcome to the Authentication & Identity Security series.
  • This series is designed for Middleware, DevOps and Cloud Engineers.
  • Learn how authentication works in enterprise applications, APIs, cloud platforms, and Docker environments.
  • Includes real-world examples using LDAP, Active Directory, Azure Entra ID, WebSphere, and modern authentication technologies.

Table of Contents

Introduction

Authentication is the first layer of security in any enterprise application. Before a user can access an application, API, cloud portal the system must verify the user's identity.

Whether you are managing IBM WebSphere, JBoss EAP, Apache Tomcat, Azure, Docker, or API Gateways, authentication is a critical component of enterprise security architecture.

Why is Authentication Important?
Authentication prevents unauthorized access to applications, APIs, cloud resources, and sensitive business data.

What is Authentication?

Authentication is the process of verifying the identity of a user, application, or system before granting access to resources.

Simply put: 

Authentication answers the question:
"Who are you?"

Applications typically validate user credentials against:

  • LDAP
  • Microsoft Active Directory
  • Azure Entra ID
  • Database
  • Identity Providers

How Authentication Works

User
 │
 ▼
Login Page
 │
 ▼
Username & Password
 │
 ▼
Application Server
 │
 ▼
LDAP / AD / Azure Entra ID
 │
 ▼
Identity Verification
 │
 ▼
Session or Token Created
 │
 ▼
Access Granted

Once authentication is successful, the application creates a session or issues a token to establish trust between the user and the application.

Authentication vs Authorization

Authentication Authorization
Verifies identity Verifies permissions
Who are you? What can you access?
Occurs first Occurs after authentication
Login process Access control process

Enterprise Example

A user logs into the Azure Portal.

Authentication checks: 

Is this user really Pradeep?

Authorization checks: 

Can the user create Virtual Machines?
Can the user modify NSGs?
Can the user access Production Resources?

Enterprise Example: LDAP Authentication

Many traditional enterprise applications use LDAP or Active Directory for centralized authentication.

Architecture

User Browser
      │
      ▼
IBM HTTP Server / NGINX
      │
      ▼
WebSphere Application Server
      │
      ▼
LDAP / Active Directory

Authentication Flow

  1. User accesses the application.
  2. User enters username and password.
  3. WebSphere receives the login request.
  4. WebSphere sends credentials to LDAP.
  5. LDAP validates the credentials.
  6. WebSphere creates a session.
  7. Browser receives a JSESSIONID cookie.
  8. User gains access to the application.

Real-World Example

Application:
https://www.company.com

LDAP Server:
ldap://ldap.company.com:389

Successful Login Response:
Set-Cookie: JSESSIONID=ABC123XYZ789
Key Learning:
LDAP verifies whether the user exists and whether the supplied credentials are valid.

Enterprise Example: Azure Entra ID Authentication

Modern cloud-native applications use Azure Entra ID for centralized identity and access management.

Architecture

User
 │
 ▼
Web Application
 │
 ▼
Azure Entra ID
 │
 ▼
MFA Verification
 │
 ▼
JWT Token
 │
 ▼
Application Access

Authentication Flow

  1. User opens the application.
  2. Application redirects the user to Azure Entra ID.
  3. User enters credentials.
  4. Multi-Factor Authentication is completed.
  5. Azure Entra ID validates the identity.
  6. JWT token is issued.
  7. User is redirected back to the application.
  8. Application validates the token and grants access.

Benefits

  • Single Sign-On
  • Multi-Factor Authentication
  • Centralized Identity Management
  • Conditional Access Policies
  • Improved security posture

Traditional vs Modern Authentication

Traditional Authentication Modern Authentication
LDAP Azure Entra ID
Active Directory Identity Provider
Session-Based Token-Based
JSESSIONID JWT
Stateful Stateless
WebSphere / JBoss / Tomcat Cloud & Microservices
On-Premises Hybrid & Cloud

Why Authentication Matters

Authentication protects critical enterprise systems and reduces the risk of unauthorized access.

  • Enterprise applications
  • APIs
  • Customer data
  • Cloud resources
  • Docker
  • Administrative portals

Common authentication-related issues handled by Middleware and DevOps teams include:

  • LDAP connectivity failures
  • Active Directory integration issues
  • Login failures
  • Session timeout problems
  • SSO redirection loops
  • Expired JWT tokens
  • OAuth2 configuration issues
  • Azure Entra ID authentication failures
  • Load balancer session affinity issues

Key Takeaways

  • Authentication verifies identity before access is granted.
  • Authorization determines what an authenticated user can access.
  • Traditional enterprise applications commonly use LDAP, Active Directory, sessions, and cookies.
  • Modern applications use Azure Entra ID, JWT tokens, OAuth2, OIDC, and MFA.
  • Authentication is the first layer of security for applications, APIs, and cloud platforms.
  • Understanding authentication is essential for Middleware, DevOps, Cloud, and Security Engineers.

What’s Next?

Next Article:
Part 2 – Sessions, Cookies & JSESSIONID Explained

In the next article, we will understand how applications maintain user identity after successful authentication and how session management works in WebSphere, JBoss, Tomcat, and modern web applications.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , ,
Subscribe to: Posts (Atom)