摘自:Inside Java 2 Platform Security - 2nd Ed,published by Addison Wesley,2003
8.4.1 Subjects and Principals
Users often depend on computing services to assist them in performing work. Furthermore, services themselves might subsequently interact with other services.
JAAS uses the term subject to refer to a system entity, sUCh as a user or a computing service.
JAAS用术语subject来表示系统实体,比如一个用户或者一个计算服务。
To identify the subjects with which it interacts, a computing service typically relies on names. However, a subject might not have the same name for each service and, in fact, may even have a different name for each individual service.
服务通常以来名字来标识那些和它交互的subject.然而一个subject一般不会用同一个名字面向每个服务,实际上,甚至subject会用各不相同的名字面向每个服务。
The term principal represents a name associated with a subject [71]. Because a subject may have multiple names, potentially one for each service with which it interacts, a subject in JAAS comprises a set of principals.
术语principal表示和一个subject关联的名字。因为一个subject可以有多个名字,以便和不同的服务交互时采用不同的名字,一个subject由一组principal组成。
Once a subject is authenticated, an instance of javax.security.auth.Subject is created to represent that subject and is populated with objects that implement the java.security.Principal interface.
一旦subject通过了认证,系统就会生成一个javax.security.auth.Subject的实例来表示该subject,并且加入一些实现java.security.Principal接口的对象到Subject实例中。
Authentication represents the process by which one system entity verifies the identity of another and must be performed in a secure fashion; otherwise, an intruder may impersonate others to gain Access to a system.
认证就是一个系统实体验证另一个实体的身份的过程,并且必须在安全的方式下进行;否则入侵者就会伪装成别的实体进入系统。
Authentication typically involves the subject demonstrating possession of some form of evidence to prove its identity. Such evidence may be information only the subject would be likely to know or have, such as a passWord or smart card, or that only the subject could produce, such as signed data using a private key.
认证时,通常是一个subject出示其某种证据来证实它的身份。这些证据可以是这个subject知道或者拥有的信息,比如密码或者智能卡。。。
When it attempts to authenticate to a service, a subject typically provides the proof of its identity along with its name. If the authentication attempt succeeds, the service associates a service-specific Principal, using the given name, with the Subject. Applications and services can determine the identity of the Subject simply by referencing the relevant Principal associated with that Subject.
当它试图通过某个服务的认证时,subject通常随它的名字一起提供它身份的证实。假如认证通过了,服务会将一个特属于该服务的Principal和Subject关联,名字和subject请求认证时的名字相同。应用程序和服务可以通过参考Subject关联的Principal来识别Subject的身份。
Reliance on named principals usually derives from the fact that a service implements a conventional access control model of security [69]. This model allows a service to define a set of protected resources and the conditions under which named principals may access those resources.