Session-Based Access Control Security Pattern Combines session-based authentication (opaque tokens) with authorization. Subject is first authenticated via session ID, then authorized based on their principal's privileges before action execution. Core Components | Role | Type | Responsibility | |------|------|----------------| | Subject | Entity | Requests actions with session ID | | Authentication Enforcer | Enforcement Point | Verifies session ID | | Verifier | Decision Point | Validates session, retrieves principal | | Session Manager | Entity | Maintains open sessions | | Session ID Genera…