主题是请求服务的实体。它可以是用户或流程。可能这就是为什么选择了Subject而不是user的原因。

When a subject tries to access a service, the subject has to be authenticated first. Successful authentication ends with loading the Security Principals for that Subject. For example, in a Role Based Access Control system, an authenticated (logged-in) user will usually have two principals - userId and roleId. In such systems, the privileges(i.e who can access what) are specified for both roles and for users. During authorization(i.e checking whether the requested service should be permitted), the security system will check for accessibility against both the principals.

因此，从授权的角度来看，主体是允许或不允许访问的实际实体。Subject只是一个持有一些主体的用户/线程/进程。

它们是有等级的，就像属，种和个体有等级一样。

Subject - In a security context, a subject is any entity that requests access to an object. These are generic terms used to denote the thing requesting access and the thing the request is made against. When you log onto an application you are the subject and the application is the object. When someone knocks on your door the visitor is the subject requesting access and your home is the object access is requested of. Principal - A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc. User - A subset of principal usually referring to a human operator. The distinction is blurring over time because the words "user" or "user ID" are commonly interchanged with "account". However, when you need to make the distinction between the broad class of things that are principals and the subset of these that are interactive operators driving transactions in a non-deterministic fashion, "user" is the right word.

Subject/Object继承了语法中使用的相同术语。在句子中，主语是施动者，客体是被施动的事物。从这个意义上说，在计算机发明之前，这种用法就已经存在了。在安全上下文中，主题是可以发出请求的任何东西。如上所述，这并不局限于IT安全，因此是一个非常广泛的分类。有趣的是，主语隐含着宾语。没有客体，就没有主体。

主体是主体决心要达到的目标。当你出示你的信用卡时，你是主体，账号是本金。在其他情况下，您的用户ID或国家颁发的标识是您的主体。但主体可以与许多类型的主体联系在一起，而不是人。当应用程序对系统级功能发出请求时，主体可以是已签名的可执行代码模块的签名者，但即使在这种情况下，驱动请求的用户仍然是主体。

User is more specific than subject or principal in that it usually refers to an interactive operator. That is why we have a graphical User Interface and not a Graphical Principal Interface. A user is an instance of subject that resolves to a principal. A single user may resolve to any number of principals but any principal is expected to resolve to a single user (assuming people observe the requirement not to share IDs). In the example above, the signer of an executable code module is definitely not the user, but it is a valid principal. The interactive operator trying to get the module loaded is the user.

As noted in the comments, even the authoritative sources do not agree on these terms. I searched NIST, SANS, IEEE, MITRE and several "quasi-authoritative" sources such as security exam guides while preparing this response. No single source that I found which was at least quasi-authoritative covered all three terms and all differed significantly in their usage. This is my take on how the terms should be used but from a practical standpoint, when you are poring over a manual in the middle of the night, the definitions tend to be whatever the vendor or writer say they are. Hopefully though responses here will provide enough insight to navigate the waters and parse any security document using these terms.

主题是请求服务的实体。它可以是用户或流程。可能这就是为什么选择了Subject而不是user的原因。

When a subject tries to access a service, the subject has to be authenticated first. Successful authentication ends with loading the Security Principals for that Subject. For example, in a Role Based Access Control system, an authenticated (logged-in) user will usually have two principals - userId and roleId. In such systems, the privileges(i.e who can access what) are specified for both roles and for users. During authorization(i.e checking whether the requested service should be permitted), the security system will check for accessibility against both the principals.

因此，从授权的角度来看，主体是允许或不允许访问的实际实体。Subject只是一个持有一些主体的用户/线程/进程。

看看我的身份验证概念图:

这是下面从Oracle JAVA SE文档解释的链接。

Subjects, Principals, Authentication, and Credentials To authorize access to resources, applications first need to authenticate the source of the request. The JAAS framework defines the term subject to represent the source of a request. A subject may be any entity, such as a person or service. A subject is represented by the javax.security.auth.Subject class. Authentication represents the process by which the identity of a subject is verified, and must be performed in a secure fashion; otherwise a perpetrator may impersonate others to gain access to a system. Authentication typically involves the subject demonstrating some form of evidence to prove its identity. Such evidence may be information only the subject would likely know or have (such as a password or fingerprint), or it may be information only the subject could produce (such as signed data using a private key). Once authenticated, a Subject is populated with associated identities, or Principals (of type java.security.Principal). A Subject may have many Principals. For example, a person may have a name Principal ("John Doe") and an SSN Principal ("123-45-6789"), which distinguish it from other Subjects. In addition to associated Principals, a Subject may own security-related attributes, which are referred to as credentials. A credential may contain information used to authenticate the subject to new services. Such credentials include passwords, Kerberos tickets, and public key certificates. Credentials might also contain data that enables the subject to perform certain activities. Cryptographic keys, for example, represent credentials that enable the subject to sign or encrypt data. Public and private credential classes are not part of the core J2SE API. Any class, therefore, can represent a credential.

我认为这个术语来自JAAS。

当应用程序使用JAAS时 验证以验证 用户(或其他实体，如 service)， Subject被创建为 结果。本课题的目的是 表示已验证的用户。一个 主体是由一组 Principal，其中每个Principal 表示该用户的标识。 例如，一个Subject可以有一个 校长(“苏珊·史密斯”)和一位 社会保险号 (“987-65-4321”),从而 将这门学科与其他学科区别开来 科目。