Sort of, the Subject would be the actor, the Subject has principals On Wed, Nov 4, 2020 at 11:34 AM Alex Orlov <[email protected]> wrote:
> Thank you for such detailed explanation. In a result, just to check that > my understanding is correct, can we say: > > Principal is a subset of Subject, so Principal is an actor. However, as > Shiro supports different security types, Shiro uses Principal as an actor’s > identifying attribute for generic approach. > > -- > Best regards, Alex Orlov > > Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers <[email protected]>: > > The SO answer looks pretty good to me, but it's pretty high level. > You also need to take into account how they are used in context and naming > conventions (e.g. Java has `java.security.principal`) > > A principal could be any object, it's commonly a String, i.e. a username > or email address. These may or may not be the identifier for the > principal. It's common for usernames and email addresses to change as the > result of a marriage or adoption, so another identifier might be used. > > Another common case of an AuthenticationToken is Bearer tokens, > Shiro's Bearer token: > https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java. > Is modeled as a string, but it is NOT a principal identifier, really it's > ONLY a credential. > > A bearer token might be an opaque string, or it could be a security token > (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not > contain any identifier. > > Similar to a certificate-based authentication, you might just have the > cert as an object and NOT a String. > > In practice... when we talk about human users they often have some sort of > string identifier, because we naturally think username/password > authentication. This is NOT universal though. > > > Sorry for the rambling answer, I'm not sure If I've answered your question > or not. > -Brian > > > On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov <[email protected] > <//e.mail.ru/compose/?mailto=mailto%[email protected]>> wrote: > > Let me explain the reason of this the question. > > From the SO asnwer (https://stackoverflow.com/a/5025140/5057736): > > *"Principal* - A subset of *subject* that is represented by an account, > role or other unique identifier. When we get to the level of implementation > details, principals are the unique keys we use in access control lists. > They may represent human users, automation, applications, connections, etc. > … > Subject/Object inherits from the same terms as used in grammar. In a > sentence the subject is the actor and the object is the thing acted on.*"* > > So, Principal is a subset of Subject → principal is an actor. > > However, in Shiro A *Principal* is any identifying attribute of an > application user (Subject). > > So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I > understand everything wrong. > > if #2 then AuthenticationToken should be > > public interface AuthenticationToken extends Serializable { > public Object getPrincipalId();//added "Id" > public Object getCredentials(); > } > > > > -- > Best regards, Alex Orlov > > > Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell < > [email protected] > <//e.mail.ru/compose/?mailto=mailto%[email protected]>>: > > Correct. > > To complete the picture: > > https://shiro.apache.org/terminology.html > > Also, the PrincipalCollection knows which realms the user is known in. > This is why most methods return such a collection, not a single Principal. > > Most apps only have one realm, but they could have multiple realms. E.g. > LDAP and a config file. > > > > > On Wed, 4 Nov 2020, 12:30 Andreas Reichel, <[email protected] > <http://e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>> > wrote: > > > > > On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote: > > So, could anyone explain what is Principal — is it a User or User.getId()? > > > > Good afternoon Alex. > > while I am just a Shiro user (but not a developer), my understanding is, > that a Principal is anything you (or a service) can authenticate or > authorize against. > Any entity, you can send to a service and get a response ( "yes" > authenticated) for, is a principal. > > The nature of this principal depends on the service itself. > If the authentication service expects a Username, then this Username is a > Principal. But if the service expects a Global Unique Token, then this > Username would not qualify as a Principal (but the Token would). > > Cheers! > Andreas > >
