摘自:Inside Java 2 Platform Security - 2nd Ed,published by Addison Wesley,2003
8.4.1 Subjects and Principals
Users often depend on computing services to assist them in performing work. Furthermore, services themselves might subsequently interact with other services.
JAAS uses the term subject to refer to a system entity, such as a user or a computing service.
JAAS用术语subject来表示系统实体,比如一个用户或者一个计算服务。
To identify the subjects with which it interacts, a computing service typically relies on names. However, a subject might not have the same name for each service and, in fact, may even have a different name for each individual service.
服务通常以来名字来标识那些和它交互的subject.然而一个subject一般不会用同一个名字面向每个服务,实际上,甚至subject会用各不相同的名字面向每个服务。
The term principal represents a name associated with a subject [71]. Because a subject may have multiple names, potentially one for each service with which it interacts, a subject in JAAS comprises a set of principals.
术语principal表示和一个subject关联的名字。因为一个subject可以有多个名字,以便和不同的服务交互时采用不同的名字,一个subject由一组principal组成。
Once a subject is authenticated, an instance of javax.security.auth.Subject is created to represent that subject and is populated with objects that implement the java.security.Principal interface.
一旦subject通过了认证,系统就会生成一个javax.security.auth.Subject的实例来表示该subject,并且加入一些实现java.security.Principal接口的对象到Subject实例中。
Authentication represents the process by which one system entity verifies the identity of another and must be performed in a secure fashion; otherwise, an intruder may impersonate others to gain access to a system.
认证就是一个系统实体验证另一个实体的身份的过程,并且必须在安全的方式下进行;否则入侵者就会伪装成别的实体进入系统。
Authentication typically involves the subject demonstrating possession of some form of evidence to prove its identity. Such evidence may be information only the subject would be likely to know or have, such as a password or smart card, or that only the subject could produce, such as signed data using a private key.
认证时,通常是一个subject出示其某种证据来证明它的身份。这些证据可以是这个subject知道或者拥有的信息,比如密码或者智能卡。。。
When it attempts to authenticate to a service, a subject typically provides the proof of its identity along with its name. If the authentication attempt succeeds, the service associates a service-specific Principal, using the given name, with the Subject. Applications and services can determine the identity of the Subject simply by referencing the relevant Principal associated with that Subject.
当它试图通过某个服务的认证时,subject通常随它的名字一起提供它身份的证明。如果认证通过了,服务会将一个特属于该服务的Principal和Subject关联,名字和subject请求认证时的名字相同。应用程序和服务可以通过参考Subject关联的Principal来识别Subject的身份。
Reliance on named principals usually derives from the fact that a service implements a conventional access control model of security [69]. This model allows a service to define a set of protected resources and the conditions under which named principals may access those resources.
命名的principals之所以值得信赖,源自服务一般都按惯例实现同一种访问控制安全模型。这个模型允许服务定义一个受保护的资源的集合,以及命名的principal可以访问这些资源的条件。
Both KeyNote [14] and SPKI [34] have focused on the limitations of using conventional names in large distributed systems for access control and note that public keys, instead, provide a more practical and scalable name representation.
JAAS and SPKI do not impose any restrictions on principal names. Localized environments that have limited namespaces or that do not rely on public-key cryptography may define principals that have conventional names.
Large-scale distributed systems may use principals that allow the principal name to be a public key.
8.4.2 Credentials
In addition to Principal information, some services may want to associate other security-related attributes and data with a Subject.
JAAS calls such generic security-related attributes credentials.
除了Principal的信息,有些服务还需要Subjec的其它一些安全相关的属性和数据。JAAS用术语credential表示这些平常的安全有关的属性。
A credential may contain information that could be used to authenticate the subject to additional services.
Some common types of credentials are passwords, Kerberos tickets [87] and public-key certificates.
一个credential可能包含该subject到其它的服务认证的信息。credentail通常是密码,Kerberos tickets以及公钥证书。
Many of these credential forms are used in environments that support single sign-on.
Credentials may also contain data that simply enables the subject to perform certain activities. Cryptographic keys,
for example, represent credentials that enable the subject to sign or encrypt data. In JAAS, credentials may be any type
of object. Therefore, existing credential implementations, such as java.security.cert.Certificate, can be easily
incorporated into JAAS. Third-party credential implementations may also be plugged in to the JAAS framework.
credentials也可以包含一些数据,以便subject可以执行一些特定点活动。比如包含Cryptographic keys, subject就可以签名或者加密数据。
在JAAS框架中,credential可以使任何类型的对象。
Although Kerberos tickets and cryptographic keys exemplify common types of credentials,
credentials can represent a wider range of security-related data.
Applications running on behalf of subjects must coordinate with the services on which they depend so as to
agree on the kinds of credentials that are needed and recognized during their interactions.
Thus, some credentials might be standard or well recognized, whereas others might be application and service specific.
In addition, credential implementations do not necessarily have to contain the security-related data;
they might simply reference that data. This occurs when the data must physically reside on a separate server or hardware device,
such as private keys on a smart card.
A subject must successfully authenticate to a service to obtain credentials. On successful authentication,
the service creates the appropriate credential object and associates it with the Subject.
Once a Subject has been populated with credentials, applications considered to be running on behalf of the subject may,
with the proper permissions, then access and use those credentials.
一个subject必须成功通过服务的认证,才能拿到credentials.
JAAS does not impose any restrictions about credential delegation to third parties.
Rather, JAAS either allows each credential implementation to specify its own delegation protocol, as Kerberos does,
or leaves delegation decisions up to the applications.
JAAS divides each Subject's credentials into two sets. One set contains the subject's public credentials,
such as public-key certificates. The other set stores the subject's private credentials, such as private keys,
Kerberos tickets, encryption keys, passwords, and so on.
To access a Subject's public credentials, no permissions are required. However,
access to a Subject's private credential set requires the caller to have been granted a PrivateCredentialPermission for the corresponding credential class.
本文地址:http://com.8s8s.com/it/it13705.htm