分享
 
 
 

理解Subjects, Principals and Credentials

王朝java/jsp·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

摘自:Inside Java 2 Platform Security - 2nd Ed,published by Addison Wesley,2003

8.4.1 Subjects and Principals

Users often depend on computing services to assist them in performing work. Furthermore, services themselves might subsequently interact with other services.

JAAS uses the term subject to refer to a system entity, such as a user or a computing service.

JAAS用术语subject来表示系统实体,比如一个用户或者一个计算服务。

To identify the subjects with which it interacts, a computing service typically relies on names. However, a subject might not have the same name for each service and, in fact, may even have a different name for each individual service.

服务通常以来名字来标识那些和它交互的subject.然而一个subject一般不会用同一个名字面向每个服务,实际上,甚至subject会用各不相同的名字面向每个服务。

The term principal represents a name associated with a subject [71]. Because a subject may have multiple names, potentially one for each service with which it interacts, a subject in JAAS comprises a set of principals.

术语principal表示和一个subject关联的名字。因为一个subject可以有多个名字,以便和不同的服务交互时采用不同的名字,一个subject由一组principal组成。

Once a subject is authenticated, an instance of javax.security.auth.Subject is created to represent that subject and is populated with objects that implement the java.security.Principal interface.

一旦subject通过了认证,系统就会生成一个javax.security.auth.Subject的实例来表示该subject,并且加入一些实现java.security.Principal接口的对象到Subject实例中。

Authentication represents the process by which one system entity verifies the identity of another and must be performed in a secure fashion; otherwise, an intruder may impersonate others to gain access to a system.

认证就是一个系统实体验证另一个实体的身份的过程,并且必须在安全的方式下进行;否则入侵者就会伪装成别的实体进入系统。

Authentication typically involves the subject demonstrating possession of some form of evidence to prove its identity. Such evidence may be information only the subject would be likely to know or have, such as a password or smart card, or that only the subject could produce, such as signed data using a private key.

认证时,通常是一个subject出示其某种证据来证明它的身份。这些证据可以是这个subject知道或者拥有的信息,比如密码或者智能卡。。。

When it attempts to authenticate to a service, a subject typically provides the proof of its identity along with its name. If the authentication attempt succeeds, the service associates a service-specific Principal, using the given name, with the Subject. Applications and services can determine the identity of the Subject simply by referencing the relevant Principal associated with that Subject.

当它试图通过某个服务的认证时,subject通常随它的名字一起提供它身份的证明。如果认证通过了,服务会将一个特属于该服务的Principal和Subject关联,名字和subject请求认证时的名字相同。应用程序和服务可以通过参考Subject关联的Principal来识别Subject的身份。

Reliance on named principals usually derives from the fact that a service implements a conventional access control model of security [69]. This model allows a service to define a set of protected resources and the conditions under which named principals may access those resources.

命名的principals之所以值得信赖,源自服务一般都按惯例实现同一种访问控制安全模型。这个模型允许服务定义一个受保护的资源的集合,以及命名的principal可以访问这些资源的条件。

Both KeyNote [14] and SPKI [34] have focused on the limitations of using conventional names in large distributed systems for access control and note that public keys, instead, provide a more practical and scalable name representation.

JAAS and SPKI do not impose any restrictions on principal names. Localized environments that have limited namespaces or that do not rely on public-key cryptography may define principals that have conventional names.

Large-scale distributed systems may use principals that allow the principal name to be a public key.

8.4.2 Credentials

In addition to Principal information, some services may want to associate other security-related attributes and data with a Subject.

JAAS calls such generic security-related attributes credentials.

除了Principal的信息,有些服务还需要Subjec的其它一些安全相关的属性和数据。JAAS用术语credential表示这些平常的安全有关的属性。

A credential may contain information that could be used to authenticate the subject to additional services.

Some common types of credentials are passwords, Kerberos tickets [87] and public-key certificates.

一个credential可能包含该subject到其它的服务认证的信息。credentail通常是密码,Kerberos tickets以及公钥证书。

Many of these credential forms are used in environments that support single sign-on.

Credentials may also contain data that simply enables the subject to perform certain activities. Cryptographic keys,

for example, represent credentials that enable the subject to sign or encrypt data. In JAAS, credentials may be any type

of object. Therefore, existing credential implementations, such as java.security.cert.Certificate, can be easily

incorporated into JAAS. Third-party credential implementations may also be plugged in to the JAAS framework.

credentials也可以包含一些数据,以便subject可以执行一些特定点活动。比如包含Cryptographic keys, subject就可以签名或者加密数据。

在JAAS框架中,credential可以使任何类型的对象。

Although Kerberos tickets and cryptographic keys exemplify common types of credentials,

credentials can represent a wider range of security-related data.

Applications running on behalf of subjects must coordinate with the services on which they depend so as to

agree on the kinds of credentials that are needed and recognized during their interactions.

Thus, some credentials might be standard or well recognized, whereas others might be application and service specific.

In addition, credential implementations do not necessarily have to contain the security-related data;

they might simply reference that data. This occurs when the data must physically reside on a separate server or hardware device,

such as private keys on a smart card.

A subject must successfully authenticate to a service to obtain credentials. On successful authentication,

the service creates the appropriate credential object and associates it with the Subject.

Once a Subject has been populated with credentials, applications considered to be running on behalf of the subject may,

with the proper permissions, then access and use those credentials.

一个subject必须成功通过服务的认证,才能拿到credentials.

JAAS does not impose any restrictions about credential delegation to third parties.

Rather, JAAS either allows each credential implementation to specify its own delegation protocol, as Kerberos does,

or leaves delegation decisions up to the applications.

JAAS divides each Subject's credentials into two sets. One set contains the subject's public credentials,

such as public-key certificates. The other set stores the subject's private credentials, such as private keys,

Kerberos tickets, encryption keys, passwords, and so on.

To access a Subject's public credentials, no permissions are required. However,

access to a Subject's private credential set requires the caller to have been granted a PrivateCredentialPermission for the corresponding credential class.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有