看看我的身份验证概念图:

我认为这个术语来自JAAS。

当应用程序使用JAAS时 验证以验证 用户(或其他实体，如 service)， Subject被创建为 结果。本课题的目的是 表示已验证的用户。一个 主体是由一组 Principal，其中每个Principal 表示该用户的标识。 例如，一个Subject可以有一个 校长(“苏珊·史密斯”)和一位 社会保险号 (“987-65-4321”),从而 将这门学科与其他学科区别开来 科目。

根据rahulmohan，我认为，在认证之前是主体，在认证之后是主体， 在不同的意义上，一个主体可以有许多主体

主题是请求服务的实体。它可以是用户或流程。可能这就是为什么选择了Subject而不是user的原因。

When a subject tries to access a service, the subject has to be authenticated first. Successful authentication ends with loading the Security Principals for that Subject. For example, in a Role Based Access Control system, an authenticated (logged-in) user will usually have two principals - userId and roleId. In such systems, the privileges(i.e who can access what) are specified for both roles and for users. During authorization(i.e checking whether the requested service should be permitted), the security system will check for accessibility against both the principals.

因此，从授权的角度来看，主体是允许或不允许访问的实际实体。Subject只是一个持有一些主体的用户/线程/进程。

它们是有等级的，就像属，种和个体有等级一样。

Subject - In a security context, a subject is any entity that requests access to an object. These are generic terms used to denote the thing requesting access and the thing the request is made against. When you log onto an application you are the subject and the application is the object. When someone knocks on your door the visitor is the subject requesting access and your home is the object access is requested of. Principal - A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc. User - A subset of principal usually referring to a human operator. The distinction is blurring over time because the words "user" or "user ID" are commonly interchanged with "account". However, when you need to make the distinction between the broad class of things that are principals and the subset of these that are interactive operators driving transactions in a non-deterministic fashion, "user" is the right word.

Subject/Object继承了语法中使用的相同术语。在句子中，主语是施动者，客体是被施动的事物。从这个意义上说，在计算机发明之前，这种用法就已经存在了。在安全上下文中，主题是可以发出请求的任何东西。如上所述，这并不局限于IT安全，因此是一个非常广泛的分类。有趣的是，主语隐含着宾语。没有客体，就没有主体。

主体是主体决心要达到的目标。当你出示你的信用卡时，你是主体，账号是本金。在其他情况下，您的用户ID或国家颁发的标识是您的主体。但主体可以与许多类型的主体联系在一起，而不是人。当应用程序对系统级功能发出请求时，主体可以是已签名的可执行代码模块的签名者，但即使在这种情况下，驱动请求的用户仍然是主体。

User is more specific than subject or principal in that it usually refers to an interactive operator. That is why we have a graphical User Interface and not a Graphical Principal Interface. A user is an instance of subject that resolves to a principal. A single user may resolve to any number of principals but any principal is expected to resolve to a single user (assuming people observe the requirement not to share IDs). In the example above, the signer of an executable code module is definitely not the user, but it is a valid principal. The interactive operator trying to get the module loaded is the user.

As noted in the comments, even the authoritative sources do not agree on these terms. I searched NIST, SANS, IEEE, MITRE and several "quasi-authoritative" sources such as security exam guides while preparing this response. No single source that I found which was at least quasi-authoritative covered all three terms and all differed significantly in their usage. This is my take on how the terms should be used but from a practical standpoint, when you are poring over a manual in the middle of the night, the definitions tend to be whatever the vendor or writer say they are. Hopefully though responses here will provide enough insight to navigate the waters and parse any security document using these terms.

正如T.Rob解释的那样，Subject是请求访问对象的任何实体。从这一点开始，我在javax.security.auth.Subject代码上找到了一个注释，我发现它非常有用，而且很容易理解:

"Subjects may potentially have multiple identities. Each identity is represented as a Principal within the Subject. Principals simply bind names to a Subject. For example, a Subject that happens to be a person, Alice, might have two Principals: one which binds "Alice Bar", the name on her driver license, to the Subject, and another which binds, "999-99-9999", the number on her student identification card, to the Subject. Both Principals refer to the same Subject even though each has a different name."

希望能有所帮助。