The SO answer looks pretty good to me, but it's pretty high level. You also need to take into account how they are used in context and naming conventions (e.g. Java has `java.security.principal`)
A principal could be any object, it's commonly a String, i.e. a username or email address. These may or may not be the identifier for the principal. It's common for usernames and email addresses to change as the result of a marriage or adoption, so another identifier might be used. Another common case of an AuthenticationToken is Bearer tokens, Shiro's Bearer token: https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java. Is modeled as a string, but it is NOT a principal identifier, really it's ONLY a credential. A bearer token might be an opaque string, or it could be a security token (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not contain any identifier. Similar to a certificate-based authentication, you might just have the cert as an object and NOT a String. In practice... when we talk about human users they often have some sort of string identifier, because we naturally think username/password authentication. This is NOT universal though. Sorry for the rambling answer, I'm not sure If I've answered your question or not. -Brian On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov <[email protected]> wrote: > Let me explain the reason of this the question. > > From the SO asnwer (https://stackoverflow.com/a/5025140/5057736): > > *"Principal* - A subset of *subject* that is represented by an account, > role or other unique identifier. When we get to the level of implementation > details, principals are the unique keys we use in access control lists. > They may represent human users, automation, applications, connections, etc. > … > Subject/Object inherits from the same terms as used in grammar. In a > sentence the subject is the actor and the object is the thing acted on.*"* > > So, Principal is a subset of Subject → principal is an actor. > > However, in Shiro A *Principal* is any identifying attribute of an > application user (Subject). > > So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I > understand everything wrong. > > if #2 then AuthenticationToken should be > > public interface AuthenticationToken extends Serializable { > public Object getPrincipalId();//added "Id" > public Object getCredentials(); > } > > > > -- > Best regards, Alex Orlov > > Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell < > [email protected]>: > > Correct. > > To complete the picture: > > https://shiro.apache.org/terminology.html > > Also, the PrincipalCollection knows which realms the user is known in. > This is why most methods return such a collection, not a single Principal. > > Most apps only have one realm, but they could have multiple realms. E.g. > LDAP and a config file. > > > > > On Wed, 4 Nov 2020, 12:30 Andreas Reichel, <[email protected] > <//e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>> > wrote: > > > > > On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote: > > So, could anyone explain what is Principal — is it a User or User.getId()? > > > > Good afternoon Alex. > > while I am just a Shiro user (but not a developer), my understanding is, > that a Principal is anything you (or a service) can authenticate or > authorize against. > Any entity, you can send to a service and get a response ( "yes" > authenticated) for, is a principal. > > The nature of this principal depends on the service itself. > If the authentication service expects a Username, then this Username is a > Principal. But if the service expects a Global Unique Token, then this > Username would not qualify as a Principal (but the Token would). > > Cheers! > Andreas > >
