在安全框架的上下文中,经常出现主体(subject)、用户(user)和主体(principal)这几个术语,我一直无法找到它们的明确定义和区别。
那么,这些术语到底是什么意思,为什么需要区分主体和主体?
在安全框架的上下文中,经常出现主体(subject)、用户(user)和主体(principal)这几个术语,我一直无法找到它们的明确定义和区别。
那么,这些术语到底是什么意思,为什么需要区分主体和主体?
当前回答
主题是请求服务的实体。它可以是用户或流程。可能这就是为什么选择了Subject而不是user的原因。
When a subject tries to access a service, the subject has to be authenticated first. Successful authentication ends with loading the Security Principals for that Subject. For example, in a Role Based Access Control system, an authenticated (logged-in) user will usually have two principals - userId and roleId. In such systems, the privileges(i.e who can access what) are specified for both roles and for users. During authorization(i.e checking whether the requested service should be permitted), the security system will check for accessibility against both the principals.
因此,从授权的角度来看,主体是允许或不允许访问的实际实体。Subject只是一个持有一些主体的用户/线程/进程。
其他回答
看看我的身份验证概念图:
主题是请求服务的实体。它可以是用户或流程。可能这就是为什么选择了Subject而不是user的原因。
When a subject tries to access a service, the subject has to be authenticated first. Successful authentication ends with loading the Security Principals for that Subject. For example, in a Role Based Access Control system, an authenticated (logged-in) user will usually have two principals - userId and roleId. In such systems, the privileges(i.e who can access what) are specified for both roles and for users. During authorization(i.e checking whether the requested service should be permitted), the security system will check for accessibility against both the principals.
因此,从授权的角度来看,主体是允许或不允许访问的实际实体。Subject只是一个持有一些主体的用户/线程/进程。
我认为这个术语来自JAAS。
当应用程序使用JAAS时 验证以验证 用户(或其他实体,如 service), Subject被创建为 结果。本课题的目的是 表示已验证的用户。一个 主体是由一组 Principal,其中每个Principal 表示该用户的标识。 例如,一个Subject可以有一个 校长(“苏珊·史密斯”)和一位 社会保险号 (“987-65-4321”),从而 将这门学科与其他学科区别开来 科目。
正如T.Rob解释的那样,Subject是请求访问对象的任何实体。从这一点开始,我在javax.security.auth.Subject代码上找到了一个注释,我发现它非常有用,而且很容易理解:
"Subjects may potentially have multiple identities. Each identity is represented as a Principal within the Subject. Principals simply bind names to a Subject. For example, a Subject that happens to be a person, Alice, might have two Principals: one which binds "Alice Bar", the name on her driver license, to the Subject, and another which binds, "999-99-9999", the number on her student identification card, to the Subject. Both Principals refer to the same Subject even though each has a different name."
希望能有所帮助。
根据rahulmohan,我认为,在认证之前是主体,在认证之后是主体, 在不同的意义上,一个主体可以有许多主体