Security Context Basics: User, Subject and Principal – 安全上下文基础知识 用户、主体和委托人

最后修改: 2020年 11月 28日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

Security is a fundamental part of any Java application. Also, we can find many security frameworks that can handle security concerns. Additionally, we use a few terms commonly like the subject, principal, and user in these frameworks.

安全是任何Java应用程序的基本组成部分。同时,我们可以找到许多安全框架,它们可以处理安全问题。此外,我们在这些框架中通常使用一些术语,如主体、委托人和用户。

In this tutorial, we’re going to explain these basic concepts of security frameworks. Also, we’ll show their relationships and differences.

在本教程中,我们将解释这些安全框架的基本概念。此外,我们还将展示它们的关系和区别。

2. Subject

2.主题

In a security context, the subject represents the source of a request. The subject is an entity that obtains information about resources or modifies resources. Additionally, a subject can also be a user, a program, a process, a file, a computer, a database, etc.

在安全上下文中,主体代表请求的来源。s主体是一个获得资源信息或修改资源的实体。此外,主体也可以是一个用户、一个程序、一个进程、一个文件、一台计算机、一个数据库等。

For example, a person needs to authorize access to resources and applications to authenticate the request source. In this case, this person is a subject.

例如,一个人需要授权访问资源和应用程序,以验证请求源。在这种情况下,这个人就是一个主体。

Let’s take a look at our example that implemented base on the JAAS framework:

让我们来看看我们的例子,它是基于JAAS框架实现的。

Subject subject = loginContext.getSubject();
PrivilegedAction privilegedAction = new ResourceAction();
Subject.doAsPrivileged(subject, privilegedAction, null);

3. Principal

3.主要内容

After successful authentication, we have a populated subject with many associated identities, such as roles, social security number(SSN), etc. In other words, these identifiers are principals, and the subject represents them.

在成功的认证之后,我们有一个带有许多相关身份的填充主体,如角色、社会安全号码(SSN)等。换句话说,这些标识符是委托人,而主体则代表他们。

For instance, a person may have an account number principal (“87654-3210”) and other unique identifiers, distinguishing it from other subjects.

例如,一个人可能有一个账户号码本金(”87654-3210″)和其他独特的标识符,将其与其他主体区分开。

Let’s see how to create an UserPrincipal after a successful login and add it to a Subject:

让我们看看如何在成功登录后创建一个UserPrincipal并将其添加到Subject:

@Override
public boolean commit() throws LoginException {
    if (!loginSucceeded) {
        return false;
    }
    userPrincipal = new UserPrincipal(username);
    subject.getPrincipals().add(userPrincipal);
    return true;
}

4. User

4.用户

Typically, a user represents a person who accesses resources to perform some action or accomplish a work task.

通常情况下,用户代表一个人,他访问资源以执行一些行动或完成一项工作任务。

Also, we can use a user as a principal, and on the other hand, a principal is an identity assigned to a user. UserPrincipal is an excellent example of a user in the JAAS framework discussed in the previous section.

另外,我们可以把一个用户作为一个委托人,另一方面,委托人是分配给一个用户的身份。UserPrincipal JAAS 框架中用户的一个优秀例子。

5. Difference Between Subject, Principal, and User

5.主体、委托人和用户之间的区别

As we saw in the above sections, we can represent different aspects of the same user’s identity by using principals. They are subsets of subjects, and users are subsets of principals that are referring to the end-user or interactive operators.

正如我们在上述章节中所看到的,我们可以通过使用委托人来表示同一用户身份的不同方面。它们是主体的子集,而用户是指最终用户或交互式操作者的主体子集。

6. Conclusion

6.结论

In this tutorial, we discussed the definition of the subject, principal, and user that they are common in most of the security frameworks. Also, we showed the difference between them.

在本教程中,我们讨论了主体、委托人和用户的定义,它们在大多数安全框架中是常见的。此外,我们还展示了它们之间的区别。

The implementation of all these examples and code snippets can be found in the GitHub project.

所有这些例子和代码片断的实现都可以在GitHub项目中找到。