理解Subjects, Principals and Credentials

2024-04-13 14:18

本文主要是介绍理解Subjects, Principals and Credentials,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

摘自:Inside Java 2 Platform Security - 2nd Ed,published by Addison Wesley,2003

8.4.1 Subjects and Principals
Users often depend on computing services to assist them in performing work. Furthermore, services themselves might subsequently interact with other services.

JAAS uses the term subject to refer to a system entity, such as a user or a computing service.
JAAS用术语subject来表示系统实体,比如一个用户或者一个计算服务。

To identify the subjects with which it interacts, a computing service typically relies on names. However, a subject might not have the same name for each service and, in fact, may even have a different name for each individual service.
服务通常以来名字来标识那些和它交互的subject.然而一个subject一般不会用同一个名字面向每个服务,实际上,甚至subject会用各不相同的名字面向每个服务。

The term principal represents a name associated with a subject [71]. Because a subject may have multiple names, potentially one for each service with which it interacts, a subject in JAAS comprises a set of principals.
术语principal表示和一个subject关联的名字。因为一个subject可以有多个名字,以便和不同的服务交互时采用不同的名字,一个subject由一组principal组成。

Once a subject is authenticated, an instance of javax.security.auth.Subject is created to represent that subject and is populated with objects that implement the java.security.Principal interface.
一旦subject通过了认证,系统就会生成一个javax.security.auth.Subject的实例来表示该subject,并且加入一些实现java.security.Principal接口的对象到Subject实例中。

Authentication represents the process by which one system entity verifies the identity of another and must be performed in a secure fashion; otherwise, an intruder may impersonate others to gain access to a system.
认证就是一个系统实体验证另一个实体的身份的过程,并且必须在安全的方式下进行;否则入侵者就会伪装成别的实体进入系统。

Authentication typically involves the subject demonstrating possession of some form of evidence to prove its identity. Such evidence may be information only the subject would be likely to know or have, such as a password or smart card, or that only the subject could produce, such as signed data using a private key.
认证时,通常是一个subject出示其某种证据来证明它的身份。这些证据可以是这个subject知道或者拥有的信息,比如密码或者智能卡。。。

When it attempts to authenticate to a service, a subject typically provides the proof of its identity along with its name. If the authentication attempt succeeds, the service associates a service-specific Principal, using the given name, with the Subject. Applications and services can determine the identity of the Subject simply by referencing the relevant Principal associated with that Subject.
当它试图通过某个服务的认证时,subject通常随它的名字一起提供它身份的证明。如果认证通过了,服务会将一个特属于该服务的Principal和Subject关联,名字和subject请求认证时的名字相同。应用程序和服务可以通过参考Subject关联的Principal来识别Subject的身份。

Reliance on named principals usually derives from the fact that a service implements a conventional access control model of security [69]. This model allows a service to define a set of protected resources and the conditions under which named principals may access those resources.
命名的principals之所以值得信赖,源自服务一般都按惯例实现同一种访问控制安全模型。这个模型允许服务定义一个受保护的资源的集合,以及命名的principal可以访问这些资源的条件。

Both KeyNote [14] and SPKI [34] have focused on the limitations of using conventional names in large distributed systems for access control and note that public keys, instead, provide a more practical and scalable name representation.
JAAS and SPKI do not impose any restrictions on principal names. Localized environments that have limited namespaces or that do not rely on public-key cryptography may define principals that have conventional names.
Large-scale distributed systems may use principals that allow the principal name to be a public key.

8.4.2 Credentials
In addition to Principal information, some services may want to associate other security-related attributes and data with a Subject.
JAAS calls such generic security-related attributes credentials.
除了Principal的信息,有些服务还需要Subjec的其它一些安全相关的属性和数据。JAAS用术语credential表示这些平常的安全有关的属性。

A credential may contain information that could be used to authenticate the subject to additional services.
Some common types of credentials are passwords, Kerberos tickets [87] and public-key certificates.
一个credential可能包含该subject到其它的服务认证的信息。credentail通常是密码,Kerberos tickets以及公钥证书。

Many of these credential forms are used in environments that support single sign-on.

Credentials may also contain data that simply enables the subject to perform certain activities. Cryptographic keys,
for example, represent credentials that enable the subject to sign or encrypt data. In JAAS, credentials may be any type
 of object. Therefore, existing credential implementations, such as java.security.cert.Certificate, can be easily
 incorporated into JAAS. Third-party credential implementations may also be plugged in to the JAAS framework.
credentials也可以包含一些数据,以便subject可以执行一些特定点活动。比如包含Cryptographic keys, subject就可以签名或者加密数据。
在JAAS框架中,credential可以使任何类型的对象。

Although Kerberos tickets and cryptographic keys exemplify common types of credentials,
credentials can represent a wider range of security-related data.

Applications running on behalf of subjects must coordinate with the services on which they depend so as to
agree on the kinds of credentials that are needed and recognized during their interactions.
Thus, some credentials might be standard or well recognized, whereas others might be application and service specific.

In addition, credential implementations do not necessarily have to contain the security-related data;
they might simply reference that data. This occurs when the data must physically reside on a separate server or hardware device,
such as private keys on a smart card.

A subject must successfully authenticate to a service to obtain credentials. On successful authentication,
the service creates the appropriate credential object and associates it with the Subject.
Once a Subject has been populated with credentials, applications considered to be running on behalf of the subject may,
with the proper permissions, then access and use those credentials.
一个subject必须成功通过服务的认证,才能拿到credentials.

JAAS does not impose any restrictions about credential delegation to third parties.
Rather, JAAS either allows each credential implementation to specify its own delegation protocol, as Kerberos does,
or leaves delegation decisions up to the applications.

JAAS divides each Subject's credentials into two sets. One set contains the subject's public credentials,
such as public-key certificates. The other set stores the subject's private credentials, such as private keys,
Kerberos tickets, encryption keys, passwords, and so on.

To access a Subject's public credentials, no permissions are required. However,
access to a Subject's private credential set requires the caller to have been granted a PrivateCredentialPermission for the corresponding credential class.

这篇关于理解Subjects, Principals and Credentials的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/900369

相关文章

认识、理解、分类——acm之搜索

普通搜索方法有两种:1、广度优先搜索;2、深度优先搜索; 更多搜索方法: 3、双向广度优先搜索; 4、启发式搜索(包括A*算法等); 搜索通常会用到的知识点:状态压缩(位压缩,利用hash思想压缩)。

【生成模型系列(初级)】嵌入(Embedding)方程——自然语言处理的数学灵魂【通俗理解】

【通俗理解】嵌入(Embedding)方程——自然语言处理的数学灵魂 关键词提炼 #嵌入方程 #自然语言处理 #词向量 #机器学习 #神经网络 #向量空间模型 #Siri #Google翻译 #AlexNet 第一节:嵌入方程的类比与核心概念【尽可能通俗】 嵌入方程可以被看作是自然语言处理中的“翻译机”,它将文本中的单词或短语转换成计算机能够理解的数学形式,即向量。 正如翻译机将一种语言

【C++高阶】C++类型转换全攻略:深入理解并高效应用

📝个人主页🌹:Eternity._ ⏩收录专栏⏪:C++ “ 登神长阶 ” 🤡往期回顾🤡:C++ 智能指针 🌹🌹期待您的关注 🌹🌹 ❀C++的类型转换 📒1. C语言中的类型转换📚2. C++强制类型转换⛰️static_cast🌞reinterpret_cast⭐const_cast🍁dynamic_cast 📜3. C++强制类型转换的原因📝

深入理解RxJava:响应式编程的现代方式

在当今的软件开发世界中,异步编程和事件驱动的架构变得越来越重要。RxJava,作为响应式编程(Reactive Programming)的一个流行库,为Java和Android开发者提供了一种强大的方式来处理异步任务和事件流。本文将深入探讨RxJava的核心概念、优势以及如何在实际项目中应用它。 文章目录 💯 什么是RxJava?💯 响应式编程的优势💯 RxJava的核心概念

如何通俗理解注意力机制?

1、注意力机制(Attention Mechanism)是机器学习和深度学习中一种模拟人类注意力的方法,用于提高模型在处理大量信息时的效率和效果。通俗地理解,它就像是在一堆信息中找到最重要的部分,把注意力集中在这些关键点上,从而更好地完成任务。以下是几个简单的比喻来帮助理解注意力机制: 2、寻找重点:想象一下,你在阅读一篇文章的时候,有些段落特别重要,你会特别注意这些段落,反复阅读,而对其他部分

深入理解数据库的 4NF:多值依赖与消除数据异常

在数据库设计中, "范式" 是一个常常被提到的重要概念。许多初学者在学习数据库设计时,经常听到第一范式(1NF)、第二范式(2NF)、第三范式(3NF)以及 BCNF(Boyce-Codd范式)。这些范式都旨在通过消除数据冗余和异常来优化数据库结构。然而,当我们谈到 4NF(第四范式)时,事情变得更加复杂。本文将带你深入了解 多值依赖 和 4NF,帮助你在数据库设计中消除更高级别的异常。 什么是

分布式系统的个人理解小结

分布式系统:分的微小服务,以小而独立的业务为单位,形成子系统。 然后分布式系统中需要有统一的调用,形成大的聚合服务。 同时,微服务群,需要有交流(通讯,注册中心,同步,异步),有管理(监控,调度)。 对外服务,需要有控制的对外开发,安全网关。

Java IO 操作——个人理解

之前一直Java的IO操作一知半解。今天看到一个便文章觉得很有道理( 原文章),记录一下。 首先,理解Java的IO操作到底操作的什么内容,过程又是怎么样子。          数据来源的操作: 来源有文件,网络数据。使用File类和Sockets等。这里操作的是数据本身,1,0结构。    File file = new File("path");   字

理解java虚拟机内存收集

学习《深入理解Java虚拟机》时个人的理解笔记 1、为什么要去了解垃圾收集和内存回收技术? 当需要排查各种内存溢出、内存泄漏问题时,当垃圾收集成为系统达到更高并发量的瓶颈时,我们就必须对这些“自动化”的技术实施必要的监控和调节。 2、“哲学三问”内存收集 what?when?how? 那些内存需要回收?什么时候回收?如何回收? 这是一个整体的问题,确定了什么状态的内存可以

理解分类器(linear)为什么可以做语义方向的指导?(解纠缠)

Attribute Manipulation(属性编辑)、disentanglement(解纠缠)常用的两种做法:线性探针和PCA_disentanglement和alignment-CSDN博客 在解纠缠的过程中,有一种非常简单的方法来引导G向某个方向进行生成,然后我们通过向不同的方向进行行走,那么就会得到这个属性上的图像。那么你利用多个方向进行生成,便得到了各种方向的图像,每个方向对应了很多