Thank you for such detailed explanation. In a result, just to check that my
understanding is correct, can we say:
Principal is a subset of Subject, so Principal is an actor. However, as Shiro
supports different security types, Shiro uses Principal as an actor’s
identifying attribute for generic approach.
--
Best regards, Alex Orlov
>Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers <[email protected]>:
>
>The SO answer looks pretty good to me, but it's pretty high level.
>You also need to take into account how they are used in context and naming
>conventions (e.g. Java has `java.security.principal`)
>
>A principal could be any object, it's commonly a String, i.e. a username or
>email address. These may or may not be the identifier for the principal.
>It's common for usernames and email addresses to change as the result of a
>marriage or adoption, so another identifier might be used.
>
>Another common case of an AuthenticationToken is Bearer tokens,
>Shiro's Bearer token:
>https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java
> . Is modeled as a string, but it is NOT a principal identifier, really it's
>ONLY a credential.
>
>A bearer token might be an opaque string, or it could be a security token
>(e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not contain
>any identifier.
>
>Similar to a certificate-based authentication, you might just have the cert as
>an object and NOT a String.
>
>In practice... when we talk about human users they often have some sort of
>string identifier, because we naturally think username/password
>authentication. This is NOT universal though.
>
>
>Sorry for the rambling answer, I'm not sure If I've answered your question or
>not.
>-Brian
>
>On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov < [email protected] > wrote:
>>Let me explain the reason of this the question.
>>
>>From the SO asnwer ( https://stackoverflow.com/a/5025140/5057736 ):
>>
>>"Principal - A subset of subject that is represented by an account, role or
>>other unique identifier. When we get to the level of implementation details,
>>principals are the unique keys we use in access control lists. They may
>>represent human users, automation, applications, connections, etc.
>>…
>>Subject/Object inherits from the same terms as used in grammar. In a sentence
>>the subject is the actor and the object is the thing acted on. "
>>
>>So, Principal is a subset of Subject → principal is an actor.
>>
>>However, in Shiro A Principal is any identifying attribute of an application
>>user (Subject).
>>
>>So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I
>>understand everything wrong.
>>
>>if #2 then AuthenticationToken should be
>>
>>public interface AuthenticationToken extends Serializable {
>> public Object getPrincipalId();//added "Id"
>> public Object getCredentials();
>>}
>>
>>
>>
>>--
>>Best regards, Alex Orlov
>>>Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell < [email protected]
>>>>:
>>>
>>>Correct.
>>>
>>>To complete the picture:
>>>
>>>https://shiro.apache.org/terminology.html
>>>
>>>Also, the PrincipalCollection knows which realms the user is known in. This
>>>is why most methods return such a collection, not a single Principal.
>>>
>>>Most apps only have one realm, but they could have multiple realms. E.g.
>>>LDAP and a config file.
>>>
>>>
>>>
>>>On Wed, 4 Nov 2020, 12:30 Andreas Reichel, < [email protected]
>>>> wrote:
>>>>
>>>>
>>>>
>>>>On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>>>>>So, could anyone explain what is Principal — is it a User or User.getId()?
>>>>>
>>>>
>>>>Good afternoon Alex.
>>>>
>>>>while I am just a Shiro user (but not a developer), my understanding is,
>>>>that a Principal is anything you (or a service) can authenticate or
>>>>authorize against.
>>>>Any entity, you can send to a service and get a response ( "yes"
>>>>authenticated) for, is a principal.
>>>>
>>>>The nature of this principal depends on the service itself.
>>>>If the authentication service expects a Username, then this Username is a
>>>>Principal. But if the service expects a Global Unique Token, then this
>>>>Username would not qualify as a Principal (but the Token would).
>>>>
>>>>Cheers!
>>>>Andreas
